Jump to content

Recommended Posts

Hi, today I just got my laptop infected with Cerber. All encrypted files were having an extension of 4 alpha-numeric characters.

After scanning my computer with Malwarebytes, Hitman Pro and Zemana. The only malicious file that was detected is "a.exe" which reside in %appdata%.

Since all anti-malware softwares only detected one single malicious file, I was afraid there were other residual files or registries left behind by Cerber and remained undetected.

I have already quarantined the malicious "a.exe". What I want to know is:

1) Can I assume my laptop is already freed from Cerber (after I quarantine that one single file)?

2) My D:/ which Lenovo uses for One-Key recovery is also affected. If I use the One-Key recovery to restore to my last restore point, will that be able to remove Cerber?

3)  Is Cerber capable of infecting the Kernel so that after reformatting, it may still re-infect the laptop?

Link to post
Share on other sites

Hi AndersonC :)

Quote

1) Can I assume my laptop is already freed from Cerber (after I quarantine that one single file)?

If your files were encrypted and the ransom notes were dropped/displayed, then the infection is gone, as like pretty much every Ransomware out there, Cerber will delete itself once the encryption process is gone.

Quote

2) My D:/ which Lenovo uses for One-Key recovery is also affected. If I use the One-Key recovery to restore to my last restore point, will that be able

It depends of how OneKey works I guess. If it saves a copy of your files other than via the volume shadow copy, then there's a chance.

Quote

3)  Is Cerber capable of infecting the Kernel so that after reformatting, it may still re-infect the laptop?

No it isn't.

Link to post
Share on other sites

Hi Aura, thank you very much for your reply. I have a few more questions which I hope you could help me out.

1) Until now, I dare not pluck in any thumb drive / portable hard disk into my laptop. Was afraid they may get infected as well. But you mentioned Cerber will remove itself, so I am already safe to pluck in any removable storage now and I should feel safe to use my laptop just like before the infection?

2) I plan to keep all my encrypted files and wait for a decryptor to be created one day. Other than the encrypted files, are there any other files which could possibly hold the details of the private key that I should keep as well? ( a) I read that some json files may hold the key. b) should I keep/delete all the .hta files generated by Cerber? Are they dangerous? )

 

P.S: I am willing to do my part to help the team by providing any files/info they need to fight this ransomware. This Cerber variant also seems capable of deleting all the files which resides within any folder with folder names containing "back up".

Link to post
Share on other sites

Quote

1) Until now, I dare not pluck in any thumb drive / portable hard disk into my laptop. Was afraid they may get infected as well. But you mentioned Cerber will remove itself, so I am already safe to pluck in any removable storage now and I should feel safe to use my laptop just like before the infection?

Technically, the main Cerber payload (which encrypts the files) should be gone. Though I could make you run FRST beforehand and check the logs to be sure of it.

Quote

2) I plan to keep all my encrypted files and wait for a decryptor to be created one day. Other than the encrypted files, are there any other files which could possibly hold the details of the private key that I should keep as well? ( a) I read that some json files may hold the key. b) should I keep/delete all the .hta files generated by Cerber? Are they dangerous? )

The .hta files are harmless. What I would keep however is a copy of each ransom note files created by Cerber (.hta, .png, .txt, or any other format if any) as they BTC address, URLs, etc. might prove useful in the future.

Quote

P.S: I am willing to do my part to help the team by providing any files/info they need to fight this ransomware. This Cerber variant also seems capable of deleting all the files which resides within any folder with folder names containing "back up".

Was that a folder you created manually, or was it a "back up" created by another program?

Link to post
Share on other sites

59 minutes ago, Aura said:

Was that a folder you created manually, or was it a "back up" created by another program?

Sorry, perhaps you can ignore my previous remark on deletion of contents in "back up" folder. The folder could have been emptied before the infection. The folder was created by another program.

 

1 hour ago, Aura said:

The .hta files are harmless. What I would keep however is a copy of each ransom note files created by Cerber (.hta, .png, .txt, or any other format if any) as they BTC address, URLs, etc. might prove useful in the future.

In that case, I shall unquarantine all the .hta files quarantined by Zemana and I guess I shall place the respective (.hta, .txt, .png) files together with their corresponding encrypted files.

 

1 hour ago, Aura said:

Technically, the main Cerber payload (which encrypts the files) should be gone. Though I could make you run FRST beforehand and check the logs to be sure of it.

Yes, can you help me to run FRST?

 

Thank you so much for all your help and support. Nothing has been worse than yesterday when I got infected in the past decade of my life..

Link to post
Share on other sites

Quote

In that case, I shall unquarantine all the .hta files quarantined by Zemana and I guess I shall place the respective (.hta, .txt, .png) files together with their corresponding encrypted files.

Just one copy of each should be fine.

Quote

Yes, can you help me to run FRST?

Sure :) Follow the instructions in the thread below and attach the FRST.txt and Addition.txt logs in your next post.

https://forums.malwarebytes.com/topic/9573-im-infected-what-do-i-do-now/

Quote

Thank you so much for all your help and support. Nothing has been worse than yesterday when I got infected in the past decade of my life..

No problem! And I can imagine. Being infected with a Ransomware is the last thing you want to happen to you.

Link to post
Share on other sites

Hi Aura, sorry for the late reply. The following is my FRST.txt and Addition.txt

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 23-02-2017 01

Ran by Yu Zheng (administrator) on YUZHENG-PC (25-02-2017 03:53:53)
Running from E:\
Loaded Profiles: UpdatusUser & Yu Zheng (Available Profiles: UpdatusUser & Yu Zheng & Anderson)

Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(SurfRight B.V.) C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe
(NVIDIA Corporation) C:\windows\System32\nvvsvc.exe
(Microsoft Corporation) C:\windows\System32\wlanext.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
(NVIDIA Corporation) C:\windows\System32\nvvsvc.exe
(Broadcom Corporation.) C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Device Health\DhMachineSvc.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Device Health\PluginManager\DhPluginMgr.exe
(Egis Incorporated) C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
() C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe
(www.shadowexplorer.com) C:\Program Files (x86)\ShadowExplorer\sesvc.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
(VMware, Inc.) C:\windows\SysWOW64\vmnat.exe
(Copyright 2017.) C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
(VMware, Inc.) C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe
(VMware, Inc.) C:\windows\SysWOW64\vmnetdhcp.exe
(Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE
(SurfRight B.V.) C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Intel Corporation) C:\windows\System32\hkcmd.exe
(Intel Corporation) C:\windows\System32\igfxpers.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Lenovo) C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE
(Egis Incorporated) C:\Acer\Empowering Technology\eDataSecurity\x64\eDSLoader.exe
() C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeySupport.exe
(Lenovo(beijing) Limited) C:\Program Files (x86)\Lenovo\Energy Management\utility.exe
(Lenovo (Beijing) Limited) C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Egis inc.) C:\Acer\Empowering Technology\eDataSecurity\x86\eDSMSNLoader32.exe
(Microsoft Corporation) C:\windows\System32\dllhost.exe
(Google Inc.) C:\Program Files (x86)\Google\Google Pinyin 2\GooglePinyinDaemon.exe
(Broadcom Corporation.) C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe
(CyberLink) C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe
(Lenovo) C:\Program Files (x86)\Lenovo\Lenovo MuteSync\MuteSync.exe
() C:\Program Files (x86)\Google\Google Pinyin 2\GooglePinyinService.exe
(Elaborate Bytes AG) C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Broadcom Corporation.) C:\Program Files\Lenovo\Bluetooth Software\BTStackServer.exe
(Microsoft Corporation) C:\windows\SysWOW64\rundll32.exe
(Broadcom Corporation.) C:\Program Files\Lenovo\Bluetooth Software\BluetoothHeadsetProxy.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(McAfee, Inc.) C:\Program Files (x86)\McAfee\SiteAdvisor\mcsacore.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
(Tonec Inc.) C:\Program Files (x86)\Internet Download Manager\IDMan.exe
(Tonec Inc.) C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Internet Download Manager, Tonec Inc.) C:\Program Files (x86)\Internet Download Manager\idmBroker.exe
(Adobe Systems Incorporated) C:\windows\System32\Macromed\Flash\FlashUtil64_20_0_0_228_ActiveX.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Visual Studio 12.0\Common7\IDE\devenv.exe
(Microsoft Corporation) C:\windows\Microsoft.NET\assembly\GAC_32\Microsoft.Alm.Shared.Remoting.RemoteContainer\v4.0_12.0.0.0__b03f5f7f11d50a3a\Microsoft.Alm.Shared.Remoting.RemoteContainer.dll
(Microsoft Corporation) C:\Program Files (x86)\MSBuild\12.0\Bin\MSBuild.exe
(Microsoft Corporation) C:\Program Files (x86)\MSBuild\12.0\Bin\MSBuild.exe
(Microsoft Corporation) C:\Users\Yu Zheng\Documents\Visual Studio 2013\Projects\SchoolCommentsBuilder\SchoolCommentsBuilder\bin\Release\SchoolCommentsBuilder.vshost.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Visual Studio 12.0\Common7\IDE\CommonExtensions\Microsoft\IntelliTrace\12.0.0\IntelliTrace.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [11775592 2011-01-26] (Realtek Semiconductor)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2771240 2011-04-21] (Synaptics Incorporated)
HKLM\...\Run: [Lenovo EE Boot Optimizer] => C:\Program Files (x86)\Lenovo\Boot Optimizer\PopWnd.exe [114688 2011-12-27] (Lenovo)
HKLM\...\Run: [OnekeyStudio] => C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeyStudio.exe [789920 2011-12-27] (Lenovo)
HKLM\...\Run: [Energy Management] => C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe [9745312 2011-12-27] (Lenovo (Beijing) Limited)
HKLM\...\Run: [EnergyUtility] => C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe [5374880 2011-12-27] (Lenovo(beijing) Limited)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [499608 2011-03-30] (Adobe Systems Incorporated)
HKLM\...\Run: [eDataSecurity Loader] => C:\Acer\Empowering Technology\eDataSecurity\x64\eDSloader.exe [561200 2009-04-13] (Egis Incorporated)
HKLM\...\Run: [New Value #1] => "ctfmon"="CTFMON.EXE"
HKLM\...\Run: [ZAM] => C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe [14416624 2017-02-02] (Copyright 2017.)
HKLM-x32\...\Run: [MuteSync] => C:\Program Files (x86)\Lenovo\Lenovo MuteSync\MuteSync.exe [336384 2009-12-28] (Lenovo)
HKLM-x32\...\Run: [YouCam Mirage] => C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe [136488 2010-12-05] (CyberLink)
HKLM-x32\...\Run: [YouCam Tray] => C:\Program Files (x86)\Lenovo\YouCam\YouCam.exe [224352 2010-12-05] (CyberLink Corp.)
HKLM-x32\...\Run: [VeriFaceManager] => C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe [329056 2011-12-27] (Lenovo)
HKLM-x32\...\Run: [UpdateP2GShortCut] => C:\Program Files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe [222504 2010-07-27] (CyberLink Corp.)
HKLM-x32\...\Run: [UpdatePRCShortCut] => C:\Program Files\Lenovo\OneKey App\OneKey Recovery\MUITransfer\MUIStartMenu.exe [222504 2009-05-14] (CyberLink Corp.)
HKLM-x32\...\Run: [VirtualCloneDrive] => C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe [52392 2009-01-30] (Elaborate Bytes AG)
HKLM-x32\...\Run: [SwitchBoard] => C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AdobeCS5.5ServiceManager] => C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe [1523360 2011-01-12] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [BCSSync] => C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe [91520 2010-01-21] (Microsoft Corporation)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [597040 2015-10-06] (Oracle Corporation)
HKLM-x32\...\Run: [Ninox Aurora mouse] => C:\Program Files (x86)\LBOTS Top Mouse\DareUMonitor.exe [495616 2013-12-28] ()
HKLM-x32\...\Run: [SystemExplorerAutoStart] => "C:\Program Files (x86)\System Explorer\SystemExplorer.exe" /TRAY
HKLM Group Policy restriction on software: %userprofile%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*\*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.js <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.bat <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: scsvserv.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.js <====== ATTENTION
HKLM Group Policy restriction on software: C:\Users\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\7z*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.jse <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.jse <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\wz*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.bat <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\wz*\*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: C:\Users\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.bat <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\rar*\*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.bat <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: C:\Users\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.js <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.bat <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\7z*\*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.js <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\7z*\*.jse <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.js <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\rar*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.bat <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\*.zip\*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*\*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\rar*\*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.jse <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\7z*\*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\*.bat <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\*.zip\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\rar*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.jse <====== ATTENTION
HKLM Group Policy restriction on software: C:\Users\*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\*.zip\*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\rar*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*\*.js <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\wz*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.jse <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.jse <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.pif <====== ATTENTION
HKLM Group Policy restriction on software: C:\Users\*.js <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.jse <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.js <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.bat <====== ATTENTION
HKLM Group Policy restriction on software: %programfiles(x86)%\*\svchost.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.jse <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.pif <====== ATTENTION
HKLM Group Policy restriction on software: C:\Users\*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.jse <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\rar*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.js <====== ATTENTION
HKLM Group Policy restriction on software: bcdedit.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: ** <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.bat <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\wz*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.jse <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.bat <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\rar*\*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.js <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\rar*\*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.bat <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*\*.bat <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.bat <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\*.zip\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\*.zip\*.js <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\wz*\*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\*\svchost.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.pif <====== ATTENTION
HKLM Group Policy restriction on software: C:\Users\*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.js <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.js <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\7z*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.js <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.jse <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.jse <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.js <====== ATTENTION
HKLM Group Policy restriction on software: syskey.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.bat <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Appdata\Roaming\Microsoft\Windows\IEUpdate\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.exe <====== ATTENTION
HKLM Group Policy restriction on software: lsassvrtdbks.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\wz*\*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *:\$Recycle.Bin <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.js <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.js <====== ATTENTION
HKLM Group Policy restriction on software: %systemdrive%\*\svchost.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.bat <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.com <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.bat <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.bat <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.bat <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.js <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.jse <====== ATTENTION
HKLM Group Policy restriction on software: cipher.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\wz*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.jse <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\7z*\*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.js <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\*.zip\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.js <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\7z*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.bat <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.jse <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\*.zip\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\7z*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.js <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.js <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.jse <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\*.com <====== ATTENTION
HKLM Group Policy restriction on software: vssadmin.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\*.js <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\*.jse <====== ATTENTION
HKLM Group Policy restriction on software: %programfiles%\*\svchost.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\*.zip\*.bat <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\Temp\wz*\*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.js <====== ATTENTION
HKLM Group Policy restriction on software: lsassw86s.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\*.bat <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.cmd <====== ATTENTION
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-1359419172-3491595909-2348629299-1000\...\Run: [FactoryTest] => C:\Windows\Test.bat
HKU\S-1-5-21-1359419172-3491595909-2348629299-1000\...\Run: [swg] => C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2011-12-27] (Google Inc.)
HKU\S-1-5-21-1359419172-3491595909-2348629299-1000\...\Run: [Power2GoExpress] => NA
HKU\S-1-5-21-1359419172-3491595909-2348629299-1000\...\Run: [msnmsgr] => C:\Program Files (x86)\Windows Live\Messenger\MsnMsgr.Exe [5729136 2007-05-17] (Microsoft Corporation)
HKU\S-1-5-21-1359419172-3491595909-2348629299-1000\...\Run: [BitTorrent] => C:\Users\Yu Zheng\AppData\Roaming\BitTorrent\BitTorrent.exe [1972232 2016-05-21] (BitTorrent Inc.)
HKU\S-1-5-21-1359419172-3491595909-2348629299-1000\...\MountPoints2: {7f29c7e9-9278-11e1-bed1-60d819ebe2f0} - H:\Windows\CHECK\DriveNavigator.exe
HKU\S-1-5-21-1359419172-3491595909-2348629299-1000\...\MountPoints2: {e5e6b698-c6dd-11e1-8337-005056c00008} - J:\autorun.exe
HKU\S-1-5-21-1359419172-3491595909-2348629299-1001\...\Run: [swg] => C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2011-12-27] (Google Inc.)
HKU\S-1-5-21-1359419172-3491595909-2348629299-1001\...\Run: [msnmsgr] => C:\Program Files (x86)\Windows Live\Messenger\MsnMsgr.Exe [5729136 2007-05-17] (Microsoft Corporation)
HKU\S-1-5-21-1359419172-3491595909-2348629299-1001\...\Run: [BitTorrent] => C:\Users\Yu Zheng\AppData\Roaming\BitTorrent\BitTorrent.exe [1972232 2016-05-21] (BitTorrent Inc.)
HKU\S-1-5-21-1359419172-3491595909-2348629299-1001\...\Run: [MySQL Notifier] => C:\Program Files (x86)\MySQL\MySQL Notifier 1.1.5\MySqlNotifier.exe [771584 2013-11-25] (Oracle Corporation)
HKU\S-1-5-21-1359419172-3491595909-2348629299-1001\...\Run: [OfficeSyncProcess] => C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE [717696 2010-01-16] (Microsoft Corporation)
HKU\S-1-5-21-1359419172-3491595909-2348629299-1001\...\Run: [IDMan] => C:\Program Files (x86)\Internet Download Manager\IDMan.exe [3907152 2015-09-04] (Tonec Inc.)
HKU\S-1-5-21-1359419172-3491595909-2348629299-1001\...\MountPoints2: {e5e6b698-c6dd-11e1-8337-005056c00008} - J:\SETUP.EXE
HKU\S-1-5-18\...\Run: [label] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\label.exe"
HKU\S-1-5-18\...\Run: [rdrleakdiag] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\rdrleakdiag.exe"
HKU\S-1-5-18\...\Run: [mfpmp] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\mfpmp.exe"
HKU\S-1-5-18\...\Run: [NAPSTAT] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\NAPSTAT.EXE"
HKU\S-1-5-18\...\Run: [msdt] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\msdt.exe"
HKU\S-1-5-18\...\Run: [systeminfo] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\systeminfo.exe"
HKU\S-1-5-18\...\Run: [mcbuilder] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\mcbuilder.exe"
HKU\S-1-5-18\...\Run: [doskey] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\doskey.exe"
HKU\S-1-5-18\...\Run: [syskey] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\syskey.exe"
HKU\S-1-5-18\...\Run: [rasdial] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\rasdial.exe"
HKU\S-1-5-18\...\Run: [ktmutil] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\ktmutil.exe"
HKU\S-1-5-18\...\Run: [fontview] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\fontview.exe"
HKU\S-1-5-18\...\Run: [newdev] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\newdev.exe"
HKU\S-1-5-18\...\Run: [mmc] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\mmc.exe"
HKU\S-1-5-18\...\Run: [ndadmin] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\ndadmin.exe"
HKU\S-1-5-18\...\Run: [pcaui] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\pcaui.exe"
HKU\S-1-5-18\...\Run: [cliconfg] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\cliconfg.exe"
HKU\S-1-5-18\...\Run: [fixmapi] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\fixmapi.exe"
HKU\S-1-5-18\...\Run: [eventcreate] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\eventcreate.exe"
HKU\S-1-5-18\...\Run: [TCPSVCS] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\TCPSVCS.EXE"
HKU\S-1-5-18\...\Run: [HOSTNAME] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\HOSTNAME.EXE"
HKU\S-1-5-18\...\Run: [UserAccountControlSettings] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\UserAccountControlSettings.exe"
HKU\S-1-5-18\...\Run: [wecutil] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\wecutil.exe"
HKU\S-1-5-18\...\Run: [icsunattend] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\icsunattend.exe"
HKU\S-1-5-18\...\Run: [shrpubw] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\shrpubw.exe"
HKU\S-1-5-18\...\Run: [forfiles] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\forfiles.exe"
HKU\S-1-5-18\...\Run: [netbtugc] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\netbtugc.exe"
HKU\S-1-5-18\...\Run: [typeperf] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\typeperf.exe"
HKU\S-1-5-18\...\Run: [Magnify] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\Magnify.exe"
HKU\S-1-5-18\...\Run: [verclsid] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\verclsid.exe"
HKU\S-1-5-18\...\Run: [unlodctr] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\unlodctr.exe"
HKU\S-1-5-18\...\Run: [bitsadmin] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\bitsadmin.exe"
HKU\S-1-5-18\...\Run: [mountvol] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\mountvol.exe"
HKU\S-1-5-18\...\Run: [MRINFO] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\MRINFO.EXE"
HKU\S-1-5-18\...\Run: [SndVol] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\SndVol.exe"
HKU\S-1-5-18\...\Run: [mshta] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\mshta.exe"
HKU\S-1-5-18\...\Run: [TapiUnattend] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\TapiUnattend.exe"
HKU\S-1-5-18\...\Run: [esentutl] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\esentutl.exe"
HKU\S-1-5-18\...\Run: [WSManHTTPConfig] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\WSManHTTPConfig.exe"
HKU\S-1-5-18\...\Run: [dccw] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\dccw.exe"
HKU\S-1-5-18\...\Run: [vmnat] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\vmnat.exe"
HKU\S-1-5-18\...\Run: [sc] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\sc.exe"
HKU\S-1-5-18\...\Run: [icardagt] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\icardagt.exe"
HKU\S-1-5-18\...\Run: [chkdsk] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\chkdsk.exe"
HKU\S-1-5-18\...\Run: [icacls] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\icacls.exe"
HKU\S-1-5-18\...\Run: [SearchIndexer] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\SearchIndexer.exe"
HKU\S-1-5-18\...\Run: [whoami] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\whoami.exe"
HKU\S-1-5-18\...\Run: [dfrgui] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\dfrgui.exe"
HKU\S-1-5-18\...\Run: [MuiUnattend] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\MuiUnattend.exe"
HKU\S-1-5-18\...\Run: [cipher] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\cipher.exe"
HKU\S-1-5-18\...\Run: [rasautou] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\rasautou.exe"
HKU\S-1-5-18\...\Run: [lodctr] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\lodctr.exe"
HKU\S-1-5-18\...\Run: [xpsrchvw] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\xpsrchvw.exe"
HKU\S-1-5-18\...\Run: [auditpol] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\auditpol.exe"
HKU\S-1-5-18\...\Run: [FlashPlayerApp] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\FlashPlayerApp.exe"
HKU\S-1-5-18\...\Run: [charmap] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\charmap.exe"
HKU\S-1-5-18\...\Run: [RunLegacyCPLElevated] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\RunLegacyCPLElevated.exe"
HKU\S-1-5-18\...\Run: [poqexec] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\poqexec.exe"
HKU\S-1-5-18\...\Run: [dialer] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\dialer.exe"
HKU\S-1-5-18\...\Run: [ctfmon] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\ctfmon.exe"
HKU\S-1-5-18\...\Run: [cacls] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\cacls.exe"
HKU\S-1-5-18\...\Run: [isoburn] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\isoburn.exe"
HKU\S-1-5-18\...\RunOnce: [label] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\label.exe"
HKU\S-1-5-18\...\RunOnce: [rdrleakdiag] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\rdrleakdiag.exe"
HKU\S-1-5-18\...\RunOnce: [mfpmp] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\mfpmp.exe"
HKU\S-1-5-18\...\RunOnce: [NAPSTAT] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\NAPSTAT.EXE"
HKU\S-1-5-18\...\RunOnce: [msdt] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\msdt.exe"
HKU\S-1-5-18\...\RunOnce: [systeminfo] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\systeminfo.exe"
HKU\S-1-5-18\...\RunOnce: [mcbuilder] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\mcbuilder.exe"
HKU\S-1-5-18\...\RunOnce: [doskey] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\doskey.exe"
HKU\S-1-5-18\...\RunOnce: [syskey] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\syskey.exe"
HKU\S-1-5-18\...\RunOnce: [rasdial] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\rasdial.exe"
HKU\S-1-5-18\...\RunOnce: [ktmutil] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\ktmutil.exe"
HKU\S-1-5-18\...\RunOnce: [fontview] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\fontview.exe"
HKU\S-1-5-18\...\RunOnce: [newdev] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\newdev.exe"
HKU\S-1-5-18\...\RunOnce: [mmc] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\mmc.exe"
HKU\S-1-5-18\...\RunOnce: [ndadmin] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\ndadmin.exe"
HKU\S-1-5-18\...\RunOnce: [pcaui] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\pcaui.exe"
HKU\S-1-5-18\...\RunOnce: [cliconfg] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\cliconfg.exe"
HKU\S-1-5-18\...\RunOnce: [fixmapi] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\fixmapi.exe"
HKU\S-1-5-18\...\RunOnce: [eventcreate] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\eventcreate.exe"
HKU\S-1-5-18\...\RunOnce: [TCPSVCS] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\TCPSVCS.EXE"
HKU\S-1-5-18\...\RunOnce: [HOSTNAME] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\HOSTNAME.EXE"
HKU\S-1-5-18\...\RunOnce: [UserAccountControlSettings] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\UserAccountControlSettings.exe"
HKU\S-1-5-18\...\RunOnce: [wecutil] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\wecutil.exe"
HKU\S-1-5-18\...\RunOnce: [icsunattend] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\icsunattend.exe"
HKU\S-1-5-18\...\RunOnce: [shrpubw] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\shrpubw.exe"
HKU\S-1-5-18\...\RunOnce: [forfiles] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\forfiles.exe"
HKU\S-1-5-18\...\RunOnce: [netbtugc] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\netbtugc.exe"
HKU\S-1-5-18\...\RunOnce: [typeperf] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\typeperf.exe"
HKU\S-1-5-18\...\RunOnce: [Magnify] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\Magnify.exe"
HKU\S-1-5-18\...\RunOnce: [verclsid] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\verclsid.exe"
HKU\S-1-5-18\...\RunOnce: [unlodctr] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\unlodctr.exe"
HKU\S-1-5-18\...\RunOnce: [bitsadmin] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\bitsadmin.exe"
HKU\S-1-5-18\...\RunOnce: [mountvol] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\mountvol.exe"
HKU\S-1-5-18\...\RunOnce: [MRINFO] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\MRINFO.EXE"
HKU\S-1-5-18\...\RunOnce: [SndVol] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\SndVol.exe"
HKU\S-1-5-18\...\RunOnce: [mshta] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\mshta.exe"
HKU\S-1-5-18\...\RunOnce: [TapiUnattend] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\TapiUnattend.exe"
HKU\S-1-5-18\...\RunOnce: [esentutl] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\esentutl.exe"
HKU\S-1-5-18\...\RunOnce: [WSManHTTPConfig] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\WSManHTTPConfig.exe"
HKU\S-1-5-18\...\RunOnce: [dccw] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\dccw.exe"
HKU\S-1-5-18\...\RunOnce: [vmnat] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\vmnat.exe"
HKU\S-1-5-18\...\RunOnce: [sc] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\sc.exe"
HKU\S-1-5-18\...\RunOnce: [icardagt] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\icardagt.exe"
HKU\S-1-5-18\...\RunOnce: [chkdsk] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\chkdsk.exe"
HKU\S-1-5-18\...\RunOnce: [icacls] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\icacls.exe"
HKU\S-1-5-18\...\RunOnce: [SearchIndexer] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\SearchIndexer.exe"
HKU\S-1-5-18\...\RunOnce: [whoami] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\whoami.exe"
HKU\S-1-5-18\...\RunOnce: [dfrgui] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\dfrgui.exe"
HKU\S-1-5-18\...\RunOnce: [MuiUnattend] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\MuiUnattend.exe"
HKU\S-1-5-18\...\RunOnce: [cipher] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\cipher.exe"
HKU\S-1-5-18\...\RunOnce: [rasautou] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\rasautou.exe"
HKU\S-1-5-18\...\RunOnce: [lodctr] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\lodctr.exe"
HKU\S-1-5-18\...\RunOnce: [xpsrchvw] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\xpsrchvw.exe"
HKU\S-1-5-18\...\RunOnce: [auditpol] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\auditpol.exe"
HKU\S-1-5-18\...\RunOnce: [FlashPlayerApp] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\FlashPlayerApp.exe"
HKU\S-1-5-18\...\RunOnce: [charmap] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\charmap.exe"
HKU\S-1-5-18\...\RunOnce: [RunLegacyCPLElevated] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\RunLegacyCPLElevated.exe"
HKU\S-1-5-18\...\RunOnce: [poqexec] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\poqexec.exe"
HKU\S-1-5-18\...\RunOnce: [dialer] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\dialer.exe"
HKU\S-1-5-18\...\RunOnce: [ctfmon] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\ctfmon.exe"
HKU\S-1-5-18\...\RunOnce: [cacls] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\cacls.exe"
HKU\S-1-5-18\...\RunOnce: [isoburn] => "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\isoburn.exe"
HKU\S-1-5-18\...\Policies\Explorer: [Run] "C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\isoburn.exe"
HKU\S-1-5-18\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\windows\system32\config\systemprofile\AppData\Roaming\{FBFAFF78-223B-D7FF-6D0C-F7C584759878}\isoburn.exe
AppInit_DLLs: C:\windows\system32\nvinitx.dll => C:\windows\system32\nvinitx.dll [226920 2011-03-04] (NVIDIA Corporation)
AppInit_DLLs-x32: C:\windows\SysWOW64\nvinit.dll => C:\windows\SysWOW64\nvinit.dll [192616 2011-03-04] (NVIDIA Corporation)
ShellIconOverlayIdentifiers: [   IDM Shell Extension] -> {CDC95B92-E27C-4745-A8C5-64A52A78855D} => C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll [2015-08-14] (Tonec Inc.)
ShellIconOverlayIdentifiers: [egisPSDP] -> {30A0A3F6-38AC-4C53-BB8B-0D95238E25BA} => C:\Acer\Empowering Technology\eDataSecurity\x64\PSDProtect.dll [2009-04-13] (Egis Inc.)
ShellIconOverlayIdentifiers: [VeriFace Enc] -> {771C7324-DA80-49D3-8017-753B0AF60951} => C:\windows\system32\IcnOvrly.dll [2011-12-27] ()
ShellIconOverlayIdentifiers-x32: [egisPSDP] -> {30A0A3F6-38AC-4C53-BB8B-0D95238E25BA} => C:\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll [2009-04-13] (Egis Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk [2011-12-27]
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Empowering Technology Launcher.lnk [2013-02-04]
ShortcutTarget: Empowering Technology Launcher.lnk -> C:\Acer\Empowering Technology\eAPLauncher.exe (Acer Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{3D693390-84DF-4CEB-ABA7-D71EBB40E34B}: [DhcpNameServer] 192.168.0.1

Internet Explorer:
==================
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yahoo.com.sg
HKU\S-1-5-21-1359419172-3491595909-2348629299-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.lenovo.com
HKU\S-1-5-21-1359419172-3491595909-2348629299-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://xin.msn.com/
HKU\S-1-5-21-1359419172-3491595909-2348629299-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://xin.msn.com/
HKU\S-1-5-21-1359419172-3491595909-2348629299-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yahoo.com.sg/
URLSearchHook: HKU\S-1-5-21-1359419172-3491595909-2348629299-1000 - (No Name) - {B922D405-6D13-4A2B-AE89-08A030DA4402} - No File
URLSearchHook: HKU\S-1-5-21-1359419172-3491595909-2348629299-1000 - McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
URLSearchHook: HKU\S-1-5-21-1359419172-3491595909-2348629299-1000 - McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-1359419172-3491595909-2348629299-1000 -> {1FF7973D-AB0A-496d-82C1-4EADBBA11E7B} URL = hxxp://www.soso.com/q?sc=web&cid=tb.ub&w={searchTerms}&gid=m3nmSH7aBaJN3WRsM5VnlR0l108501k4&lr=&ie={inputEncoding}&unc=x400443_1
SearchScopes: HKU\S-1-5-21-1359419172-3491595909-2348629299-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1359419172-3491595909-2348629299-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: IDM integration (IDMIEHlprObj Class) -> {0055C089-8582-441B-A0BF-17B458C2A3A8} -> C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll [2015-08-28] (Internet Download Manager, Tonec Inc.)
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2010-01-21] (Microsoft Corporation)
BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_60\bin\ssv.dll [2015-09-19] (Oracle Corporation)
BHO: ShowBarObj Class -> {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} -> C:\Acer\Empowering Technology\eDataSecurity\x64\ActiveToolBand.dll [2009-04-13] (Egis)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-04-29] (Google Inc.)
BHO: McAfee WebAdvisor BHO -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll [2017-02-06] (McAfee, Inc.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2010-01-16] (Microsoft Corporation)
BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_60\bin\jp2ssv.dll [2015-09-19] (Oracle Corporation)
BHO: Hotspot Shield Class -> {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} -> C:\Program Files (x86)\Hotspot Shield\HssIE\HssIE_64.dll => No File
BHO-x32: IDM integration (IDMIEHlprObj Class) -> {0055C089-8582-441B-A0BF-17B458C2A3A8} -> C:\Program Files (x86)\Internet Download Manager\IDMIECC.dll [2015-08-28] (Internet Download Manager, Tonec Inc.)
BHO-x32: ContributeBHO Class -> {074C1DC5-9320-4A9A-947D-C042949C6216} -> C:\Program Files (x86)\Adobe\Adobe Contribute CS5.1\Plugins\IEPlugin\contributeieplugin.dll [2011-03-19] (Adobe Systems, Inc.)
BHO-x32: RealNetworks Download and Record Plugin for Internet Explorer -> {3049C3E9-B461-4BC5-8870-4C09146192CA} -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll [2012-08-09] (RealDownloader)
BHO-x32: Microsoft Web Test Recorder 12.0 Helper -> {432dd630-7e03-4c97-9d62-b99f52df4fc2} -> C:\Program Files (x86)\Microsoft Visual Studio 12.0\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO100.dll [2013-10-05] (Microsoft Corporation)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL [2010-01-21] (Microsoft Corporation)
BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_65\bin\ssv.dll [2015-10-25] (Oracle Corporation)
BHO-x32: Windows Live Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-08-31] (Microsoft Corporation)
BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2016-04-29] (Google Inc.)
BHO-x32: McAfee WebAdvisor BHO -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll [2017-02-06] (McAfee, Inc.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2010-01-16] (Microsoft Corporation)
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_65\bin\jp2ssv.dll [2015-10-25] (Oracle Corporation)
Toolbar: HKLM - Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Acer\Empowering Technology\eDataSecurity\x64\eDStoolbar.dll [2009-04-13] (Egis Incorporated.)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-04-29] (Google Inc.)
Toolbar: HKLM-x32 - Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files (x86)\Adobe\Adobe Contribute CS5.1\Plugins\IEPlugin\contributeieplugin.dll [2011-03-19] (Adobe Systems, Inc.)
Toolbar: HKLM-x32 - Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll [2009-04-13] (Egis Incorporated.)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2016-04-29] (Google Inc.)
Toolbar: HKU\S-1-5-21-1359419172-3491595909-2348629299-1000 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-04-29] (Google Inc.)
Toolbar: HKU\S-1-5-21-1359419172-3491595909-2348629299-1001 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-04-29] (Google Inc.)
DPF: HKLM-x32 {233C1507-6A77-46A4-9443-F871F945D258} hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: HKLM-x32 {5D6F45B3-9043-443D-A792-115447494D24} hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/fr/uno1/GAME_UNO1.cab
DPF: HKLM-x32 {C3F79A2B-B9B4-4A66-B012-3EE46475B072} hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll [2017-02-06] (McAfee, Inc.)
Handler-x32: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll [2017-02-06] (McAfee, Inc.)
Handler-x32: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.8.5.1235.0517.dll [2007-05-17] (Microsoft Corporation)
Handler-x32: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.8.5.1235.0517.dll [2007-05-17] (Microsoft Corporation)
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll [2017-02-06] (McAfee, Inc.)
Handler-x32: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll [2017-02-06] (McAfee, Inc.)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll [2014-04-08] (Skype Technologies)

FireFox:
========
FF HKLM\...\Firefox\Extensions: [{4ED1F68A-5463-4931-9384-8FFF5ED91D92}] - C:\Program Files (x86)\McAfee\SiteAdvisor\saffplg.xpi
FF Extension: (McAfee WebAdvisor) - C:\Program Files (x86)\McAfee\SiteAdvisor\saffplg.xpi [2017-02-21]
FF HKLM-x32\...\Firefox\Extensions: [{4ED1F68A-5463-4931-9384-8FFF5ED91D92}] - C:\Program Files (x86)\McAfee\SiteAdvisor\saffplg.xpi
FF HKLM-x32\...\Firefox\Extensions: [{01A8CA0A-4C96-465b-A49B-65C46FAD54F9}] - C:\Program Files (x86)\Adobe\Adobe Contribute CS5.1\Plugins\FirefoxPlugin\{01A8CA0A-4C96-465b-A49B-65C46FAD54F9}
FF Extension: (Adobe Contribute Toolbar) - C:\Program Files (x86)\Adobe\Adobe Contribute CS5.1\Plugins\FirefoxPlugin\{01A8CA0A-4C96-465b-A49B-65C46FAD54F9} [2013-06-30] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [{B1FC07E1-E05B-4567-8891-E63FBE545BA8}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext
FF Extension: (RealDownloader) - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext [2013-08-27] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext
FF HKU\S-1-5-21-1359419172-3491595909-2348629299-1001\...\SeaMonkey\Extensions: [mozilla_cc@internetdownloadmanager.com] - C:\Users\Yu Zheng\AppData\Roaming\IDM\idmmzcc5
FF Extension: (IDM CC) - C:\Users\Yu Zheng\AppData\Roaming\IDM\idmmzcc5 [2017-02-24] [not signed]
FF Plugin: @adobe.com/FlashPlayer -> C:\windows\system32\Macromed\Flash\NPSWF64_20_0_0_235.dll [2015-12-09] ()
FF Plugin: @java.com/DTPlugin,version=11.60.2 -> C:\Program Files\Java\jre1.8.0_60\bin\dtplugin\npDeployJava1.dll [2015-09-19] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.60.2 -> C:\Program Files\Java\jre1.8.0_60\bin\plugin2\npjp2.dll [2015-09-19] (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\windows\SysWOW64\Macromed\Flash\NPSWF32_20_0_0_235.dll [2015-12-09] ()
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\windows\SysWOW64\Adobe\Director\np32dsw_1213153.dll [2014-06-25] (Adobe Systems, Inc.)
FF Plugin-x32: @java.com/DTPlugin,version=11.65.2 -> C:\Program Files (x86)\Java\jre1.8.0_65\bin\dtplugin\npDeployJava1.dll [2015-10-25] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.65.2 -> C:\Program Files (x86)\Java\jre1.8.0_65\bin\plugin2\npjp2.dll [2015-10-25] (Oracle Corporation)
FF Plugin-x32: @kingsfot.com/npkws -> C:\Program Files (x86)\Kingsoft\kingsoft antivirus\npkws.dll [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.20513.0\npctrl.dll [2013-05-13] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [No File]
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [No File]
FF Plugin-x32: @real.com/nprndlchromebrowserrecordext;version=1.2.0 -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlchromebrowserrecordext.dll [2012-08-09] (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprndlhtml5videoshim;version=1.2.0 -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlhtml5videoshim.dll [2012-08-09] (RealNetworks, Inc.)
FF Plugin-x32: @realnetworks.com/npdlplugin;version=1 -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\npdlplugin.dll [2012-08-09] (RealDownloader)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-17] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-17] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2015-09-24] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-1359419172-3491595909-2348629299-1001: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\Yu Zheng\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll [2013-08-27] (Unity Technologies ApS)

Chrome:
=======
CHR DefaultProfile: Default
CHR HomePage: Default -> hxxp:\/\/www.google.com\/ig\/redirectdomain?brand=LENN&bmod=LENN
CHR StartupUrls: Default -> "hxxp:\/\/www.google.com.sg\/"
CHR Plugin: (Widevine Content Decryption Module) - C:\Users\Yu Zheng\AppData\Local\Google\Chrome\User Data\WidevineCDM\1.4.8.823\_platform_specific\win_x86\widevinecdmadapter.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\PepperFlash\pepflashplayer.dll => No File
CHR Profile: C:\Users\Yu Zheng\AppData\Local\Google\Chrome\User Data\Default [2017-02-24]
CHR Extension: (McAfee® WebAdvisor) - C:\Users\Yu Zheng\AppData\Local\Google\Chrome\User Data\Default\Extensions\fheoggkfdfchfphceeifdbepaooicaho [2016-09-24]
CHR Extension: (Downloader) - C:\Users\Yu Zheng\AppData\Local\Google\Chrome\User Data\Default\Extensions\idhngdhcfkoamngbedgpaokgjbnpdiji [2013-08-27]
CHR Extension: (Skype) - C:\Users\Yu Zheng\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl [2016-10-24]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Yu Zheng\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-12]
CHR Extension: (Chrome Media Router) - C:\Users\Yu Zheng\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-09-23]
CHR HKLM\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - C:\Program Files (x86)\McAfee\SiteAdvisor\McChPlg.crx [2016-06-19]
CHR HKLM\...\Chrome\Extension: [ngpampappnmepgilojfohadhhmbhlaek] - C:\Program Files (x86)\Internet Download Manager\IDMGCExt.crx [2015-08-28]
CHR HKLM-x32\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - C:\Program Files (x86)\McAfee\SiteAdvisor\McChPlg.crx [2016-06-19]
CHR HKLM-x32\...\Chrome\Extension: [idhngdhcfkoamngbedgpaokgjbnpdiji] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Chrome\Ext\realdownloader.crx [2012-08-09]
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - hxxps://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 btwdins; C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe [953632 2010-12-15] (Broadcom Corporation.)
S3 c2wts; C:\Program Files\Windows Identity Foundation\v3.5\c2wtshost.exe [15768 2010-02-03] (Microsoft Corporation)
R2 DeviceHealth; C:\Program Files (x86)\Microsoft Device Health\DhMachineSvc.exe [196760 2015-01-30] (Microsoft Corporation)
R2 DeviceHealthPluginMgr; C:\Program Files (x86)\Microsoft Device Health\PluginManager\DhPluginMgr.exe [244376 2015-01-30] (Microsoft Corporation)
R2 eDataSecurity Service; C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe [500784 2009-04-13] (Egis Incorporated)
S3 fussvc; C:\Program Files (x86)\Windows Kits\8.1\App Certification Kit\fussvc.exe [142336 2013-08-22] (Microsoft Corporation) [File not signed]
R2 hmpalertsvc; C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe [4902536 2017-02-24] (SurfRight B.V.)
S3 IDriverT; C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [69632 2005-04-04] (Macrovision Corporation) [File not signed]
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1136608 2016-03-10] (Malwarebytes)
R2 McAfee SiteAdvisor Service; C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe [188352 2017-02-06] (McAfee, Inc.)
S3 MYSQL01; C:\ProgramData\MySQL\MySQL Server 5.6\my.ini [14252 2014-07-28] () [File not signed]
R2 RealNetworks Downloader Resolver Service; C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [38608 2012-08-09] ()
R2 sesvc; C:\Program Files (x86)\ShadowExplorer\sesvc.exe [9216 2013-01-02] (www.shadowexplorer.com) [File not signed]
S3 SwitchBoard; C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed]
S3 SystemExplorerHelpService; C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe [820960 2014-12-20] (Mister Group)
S3 Te.Service; C:\Program Files (x86)\Windows Kits\8.1\Testing\Runtimes\TAEF\Wex.Services.exe [119808 2013-08-22] (Microsoft Corporation) [File not signed]
S3 usnjsvc; C:\Program Files (x86)\Windows Live\Messenger\usnsvc.exe [98672 2007-05-17] (Microsoft Corporation)
R2 VMAuthdService; C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe [79872 2012-01-18] (VMware, Inc.) [File not signed]
S3 VsEtwService120; C:\Program Files\Microsoft Visual Studio 12.0\Common7\Packages\Debugger\Services\VsEtwService.exe [87728 2013-10-04] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-14] (Microsoft Corporation)
S3 WLSetupSvc; C:\Program Files (x86)\Windows Live\installer\WLSetupSvc.exe [228208 2007-05-16] ()
R2 ZAMSvc; C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe [14416624 2017-02-02] (Copyright 2017.)
S2 Stereo Service; C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [X]

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 hmpalert; C:\windows\system32\drivers\hmpalert.sys [274816 2017-02-24] (SurfRight B.V.)
R3 hmpnet; C:\windows\system32\drivers\hmpnet.sys [92712 2017-02-24] (SurfRight B.V.)
R2 IntelHaxm; C:\windows\System32\DRIVERS\IntelHaxm.sys [89072 2013-03-21] ()
R3 MBAMProtector; C:\windows\system32\drivers\mbam.sys [27008 2016-03-10] (Malwarebytes)
R3 MBAMSwissArmy; C:\windows\system32\drivers\MBAMSwissArmy.sys [192216 2017-02-24] (Malwarebytes)
S3 MBAMWebAccessControl; C:\windows\system32\drivers\mwac.sys [64896 2016-03-10] (Malwarebytes Corporation)
R3 mfesapsn; C:\Program Files (x86)\McAfee\SiteAdvisor\x64\mfesapsn.sys [46240 2016-06-06] (McAfee, Inc.)
R0 PSDFilter; C:\windows\System32\DRIVERS\psdfilter.sys [22064 2009-04-13] (Egis Incorporated)
R2 PSDNServ; C:\windows\System32\drivers\PSDNServ.sys [21040 2009-04-13] (Egis Incorporated)
R2 psdvdisk; C:\windows\System32\drivers\psdvdisk.sys [60976 2009-04-13] (Egis Incorporated)
R3 rtsuvc; C:\windows\System32\DRIVERS\rtsuvc.sys [8200552 2010-09-27] (Realtek Semiconductor Corp.)
S3 taphss6; C:\windows\System32\DRIVERS\taphss6.sys [42184 2014-03-20] (Anchorfree Inc.)
R1 ZAM; C:\windows\System32\drivers\zam64.sys [203680 2017-02-24] (Zemana Ltd.)
R1 ZAM_Guard; C:\windows\System32\drivers\zamguard64.sys [203680 2017-02-24] (Zemana Ltd.)
U3 BcmSqlStartupSvc; no ImagePath
U2 CLKMSVC10_3A60B698; no ImagePath
U2 CLKMSVC10_C3B3B687; no ImagePath
U2 DriverService; no ImagePath
U2 IAStorDataMgrSvc; no ImagePath
U2 iATAgentService; no ImagePath
U2 idealife Update Service; no ImagePath
U3 IGRS; no ImagePath
U2 IviRegMgr; no ImagePath
U2 Oasis2Service; no ImagePath
U2 PCCarerService; no ImagePath
U2 ReadyComm.DirectRouter; no ImagePath
U2 RichVideo; no ImagePath
U2 RtLedService; no ImagePath
U2 SeaPort; no ImagePath
U2 SoftwareService; no ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-02-25 03:53 - 2017-02-25 03:53 - 00000000 ____D C:\FRST
2017-02-25 01:19 - 2017-02-25 01:19 - 00000000 ____D C:\Users\Anderson\AppData\Local\Zemana
2017-02-24 16:49 - 2017-02-24 17:43 - 00054736 _____ C:\windows\system32\Drivers\hitmanpro37.sys
2017-02-24 16:09 - 2017-02-24 16:09 - 00909448 _____ (SurfRight B.V.) C:\windows\system32\hmpalert.dll
2017-02-24 16:09 - 2017-02-24 16:09 - 00840328 _____ (SurfRight B.V.) C:\windows\SysWOW64\hmpalert.dll
2017-02-24 16:09 - 2017-02-24 16:09 - 00274816 _____ (SurfRight B.V.) C:\windows\system32\Drivers\hmpalert.sys
2017-02-24 16:09 - 2017-02-24 16:09 - 00092712 _____ (SurfRight B.V.) C:\windows\system32\Drivers\hmpnet.sys
2017-02-24 16:09 - 2017-02-24 16:09 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HitmanPro.Alert
2017-02-24 16:09 - 2017-02-24 16:09 - 00000000 ____D C:\Program Files (x86)\HitmanPro.Alert
2017-02-24 15:28 - 2017-02-24 15:28 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HitmanPro
2017-02-24 15:28 - 2017-02-24 15:28 - 00000000 ____D C:\Program Files\HitmanPro
2017-02-24 15:04 - 2017-02-24 15:04 - 00000000 ____D C:\Users\Yu Zheng\Desktop\Recover
2017-02-24 13:51 - 2017-02-24 13:51 - 00000000 ____D C:\Users\Yu Zheng\AppData\Roaming\www.shadowexplorer.com
2017-02-24 13:51 - 2017-02-24 13:51 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ShadowExplorer
2017-02-24 13:51 - 2017-02-24 13:51 - 00000000 ____D C:\Program Files (x86)\ShadowExplorer
2017-02-24 13:10 - 2017-02-24 13:48 - 00001090 _____ C:\Users\Public\Desktop\System Explorer.lnk
2017-02-24 13:10 - 2017-02-24 13:48 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Explorer
2017-02-24 13:10 - 2017-02-24 13:48 - 00000000 ____D C:\Program Files (x86)\System Explorer
2017-02-24 13:10 - 2017-02-24 13:12 - 00000000 ____D C:\ProgramData\SystemExplorer
2017-02-24 12:54 - 2017-02-25 03:53 - 00128223 _____ C:\windows\ZAM.krnl.trace
2017-02-24 12:54 - 2017-02-25 03:53 - 00090324 _____ C:\windows\ZAM_Guard.krnl.trace
2017-02-24 12:54 - 2017-02-24 12:54 - 00203680 _____ (Zemana Ltd.) C:\windows\system32\Drivers\zamguard64.sys
2017-02-24 12:54 - 2017-02-24 12:54 - 00203680 _____ (Zemana Ltd.) C:\windows\system32\Drivers\zam64.sys
2017-02-24 12:54 - 2017-02-24 12:54 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Zemana AntiMalware
2017-02-24 12:54 - 2017-02-24 12:54 - 00000000 ____D C:\Program Files (x86)\Zemana AntiMalware
2017-02-24 12:51 - 2017-02-24 12:51 - 00000000 ____D C:\Users\Yu Zheng\AppData\Local\Zemana
2017-02-24 11:03 - 2017-02-24 22:56 - 00000000 ____D C:\ProgramData\HitmanPro.Alert
2017-02-24 10:54 - 2017-02-24 10:54 - 02093773 _____ C:\windows\SchoolCommentsBuilder.zip
2017-02-24 09:00 - 2017-02-24 09:00 - 00075862 _____ C:\Users\Anderson\Desktop\_HELP_HELP_HELP_RLWB_.hta
2017-02-24 08:47 - 2017-02-24 08:47 - 00075862 _____ C:\Users\Yu Zheng\Documents\_HELP_HELP_HELP_VL61N_.hta
2017-02-24 08:23 - 2017-02-24 08:23 - 00075862 _____ C:\_HELP_HELP_HELP_CL92F3AN_.hta
2017-02-20 00:37 - 2017-02-24 22:58 - 00003372 _____ C:\windows\System32\Tasks\RealDownloaderRealUpgradeScheduledTaskS-1-5-21-1359419172-3491595909-2348629299-1001
2017-02-20 00:37 - 2017-02-24 22:58 - 00003244 _____ C:\windows\System32\Tasks\RealDownloaderRealUpgradeLogonTaskS-1-5-21-1359419172-3491595909-2348629299-1001
2017-02-19 02:57 - 2017-02-24 08:56 - 00016619 _____ C:\Users\Yu Zheng\Desktop\JN9C9AgSYj.905f
2017-02-19 02:55 - 2017-02-24 08:56 - 00012952 _____ C:\Users\Yu Zheng\Desktop\aQIF4XM51S.905f
2017-02-16 20:55 - 2017-02-24 15:18 - 00000000 ____D C:\Users\Yu Zheng\Desktop\Damn Stuff
2017-02-10 02:28 - 2017-02-10 02:28 - 00008192 _____ C:\Users\Yu Zheng\AppData\Roaming\records_db
2017-02-07 02:27 - 2017-02-12 20:35 - 00000084 _____ C:\Users\Yu Zheng\Desktop\a.txt
2017-02-02 19:40 - 2017-02-24 09:01 - 00000000 ____D C:\Users\Anderson\Desktop\Xin Yu

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-02-25 03:33 - 2014-05-25 14:12 - 00000000 ____D C:\Users\Yu Zheng\Documents\Visual Studio 2013
2017-02-25 02:46 - 2013-02-05 06:50 - 00000000 ____D C:\Program Files (x86)\Pandora Recovery
2017-02-25 01:19 - 2014-07-15 15:22 - 00000000 ____D C:\Users\Anderson\Documents\My Received Files
2017-02-25 01:19 - 2011-12-27 20:20 - 00000000 ____D C:\ProgramData\VeriFace
2017-02-25 01:19 - 2011-12-27 20:14 - 00176879 _____ C:\windows\system32\fastboot.set
2017-02-25 00:03 - 2009-07-14 13:13 - 00788428 _____ C:\windows\system32\PerfStringBackup.INI
2017-02-25 00:03 - 2009-07-14 11:20 - 00000000 ____D C:\windows\inf
2017-02-24 23:50 - 2015-09-04 02:32 - 00000000 ____D C:\Users\Yu Zheng\Downloads\Compressed
2017-02-24 23:04 - 2009-07-14 12:45 - 00021280 ____H C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-02-24 23:04 - 2009-07-14 12:45 - 00021280 ____H C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-02-24 22:57 - 2016-09-02 03:29 - 00192216 _____ (Malwarebytes) C:\windows\system32\Drivers\MBAMSwissArmy.sys
2017-02-24 22:57 - 2012-04-28 01:22 - 00000000 ____D C:\Users\Yu Zheng\Documents\My Received Files
2017-02-24 22:56 - 2012-04-28 01:26 - 00000000 ____D C:\ProgramData\VMware
2017-02-24 22:56 - 2009-07-14 13:08 - 00000006 ____H C:\windows\Tasks\SA.DAT
2017-02-24 16:07 - 2012-04-28 00:48 - 00000000 ____D C:\Users\Yu Zheng
2017-02-24 16:04 - 2015-09-04 02:32 - 00000000 ____D C:\Users\Yu Zheng\AppData\Roaming\DMCache
2017-02-24 15:21 - 2016-10-26 20:59 - 00000000 ____D C:\Users\Yu Zheng\Desktop\Visual Studio 2013 Projects
2017-02-24 15:20 - 2014-11-01 20:54 - 00000000 ____D C:\Users\Yu Zheng\Desktop\Use And Delete
2017-02-24 15:20 - 2014-06-29 02:21 - 00000000 ____D C:\Users\Yu Zheng\Desktop\ShuiHu
2017-02-24 15:20 - 2013-04-20 19:44 - 00000000 ____D C:\Users\Yu Zheng\Desktop\short program
2017-02-24 15:20 - 2012-09-26 21:12 - 00000000 ____D C:\Users\Yu Zheng\Desktop\SSP12 3A - Lift Prototype
2017-02-24 15:19 - 2017-01-06 14:20 - 00000000 ____D C:\Users\Yu Zheng\Desktop\RESUME
2017-02-24 15:19 - 2015-10-04 01:09 - 00000000 ____D C:\Users\Yu Zheng\Desktop\Mario
2017-02-24 15:19 - 2015-02-16 05:00 - 00000000 ____D C:\Users\Yu Zheng\Desktop\newone
2017-02-24 15:19 - 2014-05-14 21:45 - 00000000 ____D C:\Users\Yu Zheng\Desktop\NYP Module
2017-02-24 15:19 - 2014-02-01 09:45 - 00000000 ____D C:\Users\Yu Zheng\Desktop\Java Teaching Material
2017-02-24 15:19 - 2012-10-09 01:13 - 00000000 ____D C:\Users\Yu Zheng\Desktop\Java Testing
2017-02-24 15:19 - 2012-09-23 05:54 - 00000000 ____D C:\Users\Yu Zheng\Desktop\Prototype images
2017-02-24 15:19 - 2012-05-19 04:54 - 00000000 ____D C:\Users\Yu Zheng\Desktop\Sample
2017-02-24 15:18 - 2016-10-26 05:23 - 00000000 ____D C:\Users\Yu Zheng\Desktop\CHECKED CLEAR
2017-02-24 15:18 - 2015-07-14 21:37 - 00000000 ____D C:\Users\Yu Zheng\Desktop\JAVA homework
2017-02-24 15:18 - 2014-09-06 10:06 - 00000000 ____D C:\Users\Yu Zheng\Desktop\Interface vs abstract class
2017-02-24 15:18 - 2012-08-30 04:04 - 00000000 ____D C:\Users\Yu Zheng\Desktop\Image
2017-02-24 15:18 - 2012-08-21 22:16 - 00000000 ____D C:\Users\Yu Zheng\Desktop\FYPTemplate
2017-02-24 15:17 - 2016-08-12 00:58 - 00000000 ____D C:\Users\Yu Zheng\Desktop\Authy Tester
2017-02-24 15:17 - 2014-10-11 01:45 - 00000000 ____D C:\Users\Yu Zheng\Desktop\C Programming
2017-02-24 15:17 - 2014-03-18 04:49 - 00000000 ____D C:\Users\Yu Zheng\Desktop\C++ Testing
2017-02-24 15:17 - 2013-05-25 16:56 - 00000000 ____D C:\Users\Yu Zheng\Desktop\algo_A3
2017-02-24 15:17 - 2013-05-24 22:33 - 00000000 ____D C:\Users\Yu Zheng\Desktop\Algo_Assignment3
2017-02-24 15:17 - 2013-05-09 08:54 - 00000000 ____D C:\Users\Yu Zheng\Desktop\A1_backup
2017-02-24 15:17 - 2013-01-21 14:27 - 00000000 ____D C:\Users\Yu Zheng\Desktop\222_A1
2017-02-24 13:47 - 2013-01-02 15:52 - 00007655 _____ C:\Users\Yu Zheng\AppData\Local\Resmon.ResmonCfg
2017-02-24 12:45 - 2015-09-04 03:22 - 00000000 ____D C:\Users\Yu Zheng\Downloads\Video
2017-02-24 12:23 - 2012-05-29 21:12 - 00250644 _____ C:\windows\ntbtlog.txt
2017-02-24 11:27 - 2013-02-07 05:38 - 00000000 ____D C:\windows\pss
2017-02-24 11:22 - 2016-06-14 04:04 - 00000000 ____D C:\AdwCleaner
2017-02-24 09:01 - 2015-11-09 20:30 - 00000000 ____D C:\Users\Anderson\Desktop\IDS
2017-02-24 09:01 - 2015-09-24 14:20 - 02000786 _____ C:\Users\Anderson\Desktop\zdM51nB5XE.905f
2017-02-24 09:01 - 2015-08-31 21:16 - 00218270 _____ C:\Users\Anderson\Desktop\FiuaSUNzzM.905f
2017-02-24 09:01 - 2015-02-12 19:01 - 00028313 _____ C:\Users\Anderson\Desktop\KUeMEIAHDc.905f
  Build-To-Order System_files
2017-02-24 09:01 - 2015-01-31 10:56 - 00079982 _____ C:\Users\Anderson\Desktop\9M-upy-Tdx.905f
2017-02-24 09:01 - 2015-01-22 16:28 - 01925846 _____ C:\Users\Anderson\Desktop\lWxnxGb7JQ.905f
2017-02-24 09:01 - 2015-01-17 11:46 - 00004844 _____ C:\Users\Anderson\Desktop\WIQijg1Itr.905f
2017-02-24 09:01 - 2014-12-07 12:19 - 00005625 _____ C:\Users\Anderson\Desktop\yZykhMH6nf.905f
2017-02-24 09:00 - 2015-01-13 07:15 - 00003788 _____ C:\Users\Anderson\Desktop\3b4kV9QWu3.905f
2017-02-24 08:59 - 2016-10-31 00:08 - 00915459 _____ C:\Users\Yu Zheng\Desktop\95sge7AFMQ.905f
2017-02-24 08:59 - 2015-01-08 21:16 - 00094052 _____ C:\Users\Yu Zheng\Desktop\FJEPdgRc6P.905f
2017-02-24 08:59 - 2014-08-06 23:10 - 03063997 _____ C:\Users\Yu Zheng\Desktop\D9wIkyAICQ.905f
2017-02-24 08:59 - 2013-05-30 23:06 - 00162826 _____ C:\Users\Yu Zheng\Desktop\ARNXqnzh2T.905f
2017-02-24 08:59 - 2013-05-25 16:55 - 00092876 _____ C:\Users\Yu Zheng\Desktop\aFKoAtxzj0.905f
2017-02-24 08:59 - 2012-09-28 20:19 - 00339931 _____ C:\Users\Yu Zheng\Desktop\QuW7CgnHK0.905f
2017-02-24 08:58 - 2017-01-24 23:29 - 00014227 _____ C:\Users\Yu Zheng\Desktop\SIkL3WWFKj.905f
2017-02-24 08:58 - 2016-12-10 11:16 - 00010006 _____ C:\Users\Yu Zheng\Desktop\anHlQdBlsb.905f
2017-02-24 08:58 - 2016-08-12 17:10 - 00003604 _____ C:\Users\Yu Zheng\Desktop\yXCBGrjXK4.905f
2017-02-24 08:58 - 2015-02-02 22:53 - 06675837 _____ C:\Users\Yu Zheng\Desktop\KrdZQ-MPp6.905f
2017-02-24 08:58 - 2015-01-09 05:45 - 06009456 _____ C:\Users\Yu Zheng\Desktop\3JioC7VLCy.905f
2017-02-24 08:58 - 2014-05-31 22:02 - 00017848 _____ C:\Users\Yu Zheng\Desktop\bFqG4sYrh2.905f
2017-02-24 08:58 - 2013-10-24 15:47 - 00115375 _____ C:\Users\Yu Zheng\Desktop\hjPLUn6YcB.905f
2017-02-24 08:58 - 2013-10-21 22:33 - 00239139 _____ C:\Users\Yu Zheng\Desktop\HNOheOjV-N.905f
2017-02-24 08:58 - 2013-01-08 00:43 - 00210041 _____ C:\Users\Yu Zheng\Desktop\VF8k9r5hEz.905f
2017-02-24 08:58 - 2012-11-27 22:02 - 00124168 _____ C:\Users\Yu Zheng\Desktop\-k80uZ1KIp.905f
2017-02-24 08:56 - 2016-11-18 22:49 - 00127427 _____ C:\Users\Yu Zheng\Desktop\v0XiKVCFQg.905f
2017-02-24 08:56 - 2016-11-18 07:04 - 00125409 _____ C:\Users\Yu Zheng\Desktop\9g2IADM2q9.905f
2017-02-24 08:56 - 2016-08-30 20:48 - 00190974 _____ C:\Users\Yu Zheng\Desktop\PlvlQH4K4a.905f
2017-02-24 08:56 - 2016-03-18 00:58 - 00037318 _____ C:\Users\Yu Zheng\Desktop\jOM8IVrCd1.905f
2017-02-24 08:56 - 2013-09-04 00:26 - 00009300 _____ C:\Users\Yu Zheng\Desktop\iWyGczXriI.905f
2017-02-24 08:56 - 2012-11-26 11:29 - 00047544 _____ C:\Users\Yu Zheng\Desktop\bpdluaDWD1.905f
2017-02-24 08:56 - 2012-11-22 17:44 - 00025571 _____ C:\Users\Yu Zheng\Desktop\OL6rpTA7Gv.905f
2017-02-24 08:50 - 2015-06-01 18:47 - 00004837 _____ C:\Users\Yu Zheng\Desktop\F22WRjWJ3m.905f
2017-02-24 08:49 - 2012-09-15 02:49 - 00000000 ____D C:\Users\Yu Zheng\Documents\NetBeansProjects
2017-02-24 08:48 - 2012-09-21 06:49 - 00000000 ____D C:\Users\Yu Zheng\Documents\My Digital Editions
2017-02-24 08:47 - 2014-11-20 08:50 - 00000000 ____D C:\xampp
2017-02-24 08:47 - 2013-08-04 00:23 - 00000000 ____D C:\Users\Yu Zheng\Documents\Flash Tutorial
2017-02-24 08:47 - 2012-10-07 14:11 - 00295340 _____ C:\Users\Yu Zheng\Documents\VyYOjiT4-w.905f
2017-02-24 08:47 - 2012-09-23 05:41 - 00003494 _____ C:\Users\Yu Zheng\Documents\Tj0eXNsEkm.905f
2017-02-24 08:42 - 2016-09-10 05:19 - 00232624 _____ C:\NzXGRFrbws.905f
2017-02-24 08:42 - 2016-07-06 19:31 - 00232618 _____ C:\28ZqDxdl2u.905f
2017-02-24 08:42 - 2016-06-14 01:35 - 00463108 _____ C:\TKJ9Yc7-WK.905f
2017-02-24 08:42 - 2007-11-07 08:00 - 00006108 _____ C:\bfQD0V6zOP.905f
2017-02-24 08:41 - 2012-04-28 14:57 - 00000000 ____D C:\Games
2017-02-24 08:35 - 2012-12-01 13:47 - 00000000 ____D C:\FYP_ALL
2017-02-24 08:33 - 2013-09-14 02:30 - 00000000 ____D C:\Game962
2017-02-24 08:33 - 2007-11-07 08:00 - 00018158 _____ C:\WYGMXVq7I8.905f
2017-02-24 08:33 - 2007-11-07 08:00 - 00018158 _____ C:\rrVheblD8s.905f
2017-02-24 08:33 - 2007-11-07 08:00 - 00018158 _____ C:\PnCMZTxsHX.905f
2017-02-24 08:33 - 2007-11-07 08:00 - 00018158 _____ C:\k9es158K3R.905f
2017-02-24 08:33 - 2007-11-07 08:00 - 00018158 _____ C:\f3XffXrPFs.905f
2017-02-24 08:33 - 2007-11-07 08:00 - 00018158 _____ C:\d22iItjlZW.905f
2017-02-24 08:33 - 2007-11-07 08:00 - 00018158 _____ C:\9CUllR5pxp.905f
2017-02-24 08:33 - 2007-11-07 08:00 - 00010558 _____ C:\4MsfWdMggG.905f
2017-02-24 08:28 - 2015-02-05 13:31 - 00000000 ____D C:\EngineSDK
2017-02-24 08:27 - 2015-05-20 05:33 - 00000000 ____D C:\Eclipse
2017-02-24 08:27 - 2013-02-07 03:21 - 00000000 ____D C:\EGIS_Drive
2017-02-24 08:27 - 2013-02-04 18:35 - 00000000 ____D C:\eDataSecurity
2017-02-24 08:23 - 2016-10-24 21:26 - 00003772 _____ C:\fQgBKh2WUv.905f
2017-02-24 08:23 - 2014-06-14 22:43 - 00000000 ____D C:\Android Development
2017-02-24 08:23 - 2014-03-25 03:41 - 00000000 ____D C:\Dev-Cpp
2017-02-24 08:17 - 2014-02-06 14:27 - 00000000 ____D C:\Adobe ActionScript 3.0 Lesson Files
2017-02-24 08:17 - 2013-05-02 20:49 - 00000000 ____D C:\Adobe CS5.5 Master Collection
2017-02-24 08:16 - 2013-05-02 20:38 - 00000000 ____D C:\3d max
2017-02-24 08:16 - 2013-02-04 18:47 - 00000000 ____D C:\Acer
2017-02-24 07:55 - 2012-09-21 09:03 - 00000000 ____D C:\Users\Yu Zheng\AppData\Local\CrashDumps
2017-02-21 07:12 - 2009-07-14 13:08 - 00032558 _____ C:\windows\Tasks\SCHEDLGU.TXT
2017-02-20 16:39 - 2014-05-29 16:08 - 00000000 ____D C:\Users\Anderson\Documents\Visual Studio 2013
2017-02-14 22:20 - 2012-04-28 15:14 - 00000000 ____D C:\Program Files (x86)\DOSBox-0.72
2017-02-07 10:09 - 2016-10-25 20:18 - 00002195 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-02-07 10:09 - 2016-10-25 20:18 - 00002183 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2017-01-27 12:48 - 2012-08-06 00:08 - 00000000 ____D C:\Users\Yu Zheng\MUSICS

==================== Files in the root of some directories =======

2013-06-14 01:15 - 2016-09-02 03:30 - 0000289 _____ () C:\Users\Yu Zheng\AppData\Roaming\burnaware.ini
2007-08-01 07:00 - 2007-08-01 07:00 - 0001695 _____ () C:\Users\Yu Zheng\AppData\Roaming\CrenelDivvy.z
2003-10-13 07:00 - 2003-10-13 07:00 - 0150278 _____ () C:\Users\Yu Zheng\AppData\Roaming\Discotheque.C
2015-07-12 04:33 - 2016-12-20 18:14 - 0000149 _____ () C:\Users\Yu Zheng\AppData\Roaming\licecap.ini
2014-06-29 02:34 - 2014-06-29 03:11 - 0000046 _____ () C:\Users\Yu Zheng\AppData\Roaming\mbam.context.scan
2012-05-28 17:22 - 2014-03-12 00:03 - 0000565 _____ () C:\Users\Yu Zheng\AppData\Roaming\myMPQ.ini
2017-02-10 02:28 - 2017-02-10 02:28 - 0008192 _____ () C:\Users\Yu Zheng\AppData\Roaming\records_db
2013-02-04 18:37 - 2013-02-04 18:37 - 0000625 _____ () C:\Users\Yu Zheng\AppData\Local\edsinstaller.txt-20130204.log
2013-02-07 03:11 - 2013-02-07 03:14 - 0146651 _____ () C:\Users\Yu Zheng\AppData\Local\edsinstaller.txt-20130207.log
2013-07-01 05:43 - 2013-07-01 05:57 - 0279060 _____ () C:\Users\Yu Zheng\AppData\Local\edsinstaller.txt-20130701.log
2013-01-02 15:52 - 2017-02-24 13:47 - 0007655 _____ () C:\Users\Yu Zheng\AppData\Local\Resmon.ResmonCfg
2013-11-07 02:49 - 2013-12-15 16:58 - 0000058 _____ () C:\ProgramData\Update.ini

Some files in TEMP:
====================
2016-05-11 20:26 - 2016-06-05 21:11 - 41763456 _____ (Skype Technologies S.A.) C:\Users\Anderson\AppData\Local\Temp\SkypeSetup.exe
2016-03-08 03:42 - 2016-03-08 03:43 - 11441744 _____ (SurfRight B.V.) C:\Users\Yu Zheng\AppData\Local\Temp\HitmanPro.exe
2017-02-24 11:04 - 2017-02-24 14:24 - 11581544 _____ (SurfRight B.V.) C:\Users\Yu Zheng\AppData\Local\Temp\HitmanPro_x64.exe
2016-01-10 03:17 - 2016-12-18 22:08 - 43872728 _____ (Skype Technologies S.A.) C:\Users\Yu Zheng\AppData\Local\Temp\SkypeSetup.exe
2006-05-25 01:10 - 2006-05-25 01:10 - 0455600 ____R (Macrovision Corporation) C:\Users\Yu Zheng\AppData\Local\Temp\_isF317.exe
2007-02-28 05:08 - 2007-02-28 05:08 - 0456416 ____R (Macrovision Corporation) C:\Users\Yu Zheng\AppData\Local\Temp\_isF50B.exe

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\windows\system32\winlogon.exe => File is digitally signed
C:\windows\system32\wininit.exe => File is digitally signed
C:\windows\SysWOW64\wininit.exe => File is digitally signed
C:\windows\explorer.exe => File is digitally signed
C:\windows\SysWOW64\explorer.exe => File is digitally signed
C:\windows\system32\svchost.exe => File is digitally signed
C:\windows\SysWOW64\svchost.exe => File is digitally signed
C:\windows\system32\services.exe => File is digitally signed
C:\windows\system32\User32.dll => File is digitally signed
C:\windows\SysWOW64\User32.dll => File is digitally signed
C:\windows\system32\userinit.exe => File is digitally signed
C:\windows\SysWOW64\userinit.exe => File is digitally signed
C:\windows\system32\rpcss.dll => File is digitally signed
C:\windows\system32\dnsapi.dll => File is digitally signed
C:\windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\windows\system32\Drivers\volsnap.sys => File is digitally signed


ATTENTION: ==> Could not access BCD.

LastRegBack: 2015-12-21 01:45

==================== End of FRST.txt ============================

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 23-02-2017 01
Ran by Yu Zheng (25-02-2017 03:55:03)
Running from E:\
Windows 7 Home Premium Service Pack 1 (X64) (2012-04-27 16:48:26)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-1359419172-3491595909-2348629299-500 - Administrator - Disabled)
Anderson (S-1-5-21-1359419172-3491595909-2348629299-1007 - Administrator - Enabled) => C:\Users\Anderson
Guest (S-1-5-21-1359419172-3491595909-2348629299-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-1359419172-3491595909-2348629299-1003 - Limited - Enabled)
UpdatusUser (S-1-5-21-1359419172-3491595909-2348629299-1000 - Limited - Enabled) => C:\Users\UpdatusUser
Yu Zheng (S-1-5-21-1359419172-3491595909-2348629299-1001 - Administrator - Enabled) => C:\Users\Yu Zheng

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Acer eDataSecurity Management (HKLM-x32\...\{A5633652-3795-4829-BB0B-644F0279E279}) (Version: 2.8.4367 - Egis Inc.)
Acer Empowering Technology (HKLM-x32\...\{AB6097D9-D722-4987-BD9E-A076E2848EE2}) (Version: 2.5.3005 - Acer Inc.)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 2.5.1.17730 - Adobe Systems Inc.)
Adobe Community Help (HKLM-x32\...\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 3.4.980 - Adobe Systems Incorporated.)
Adobe Content Viewer (HKLM-x32\...\com.adobe.dmp.contentviewer) (Version: 1.4.0 - Adobe Systems Incorporated)
Adobe Creative Suite 5.5 Master Collection (HKLM-x32\...\{D57FC112-312E-4D70-860F-2DB8FB6858F0}) (Version: 5.5 - Adobe Systems Incorporated)
Adobe Digital Editions 3.0 (HKLM-x32\...\Adobe Digital Editions 3.0) (Version: 3.0 - Adobe Systems Incorporated)
Adobe Flash Player 20 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 20.0.0.228 - Adobe Systems Incorporated)
Adobe Flash Player 20 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 20.0.0.235 - Adobe Systems Incorporated)
Adobe Reader X (10.1.16) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AA1000000001}) (Version: 10.1.16 - Adobe Systems Incorporated)
Adobe Shockwave Player 12.1 (HKLM-x32\...\Adobe Shockwave Player) (Version: 12.1.3.153 - Adobe Systems, Inc.)
Adobe Story (HKLM-x32\...\com.adobe.AdobeStory.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 1.0.571 - Adobe Systems Incorporated)
Adobe Widget Browser (HKLM-x32\...\com.adobe.WidgetBrowser.E7BED6E5DDA59983786DD72EBFA46B1598278E07.1) (Version: 2.0 Build 230 - Adobe Systems Incorporated.)
Age of Empires III - Complete Collection (HKLM-x32\...\Age of Empires III - Complete Collection_Origami_is1) (Version: 1.0 - R.G. Origami, Seraph1)
Age of Empires III Trial (HKLM-x32\...\InstallShield_{C83F2952-4678-4F00-AB05-776658A8D0AE}) (Version: 1.00.0000 - Microsoft Game Studios)
Age of Empires III Trial (x32 Version: 1.00.0000 - Microsoft Game Studios) Hidden
Android SDK Tools (HKLM-x32\...\Android SDK Tools) (Version: 1.16 - Google Inc.)
ASIO4ALL (HKLM-x32\...\ASIO4ALL) (Version: 2.11 Beta1 - Michael Tippach)
AutoHotkey 1.0.48.05 (HKLM-x32\...\AutoHotkey) (Version: 1.0.48.05 - Chris Mallett)
AzureTools.Notifications (x32 Version: 2.1.10731.1602 - Microsoft Corporation) Hidden
Baldur's Gate(TM) II - Shadows of Amn(TM) (HKLM-x32\...\{7AF32AB1-CB97-11D4-9607-0050BA84F5F7}) (Version:  - )
Battle.net (HKLM-x32\...\Battle.net) (Version:  - )
Behaviors SDK (XAML) for Visual Studio (x32 Version: 12.0.41002.1 - Microsoft Corporation) Hidden
BitTorrent (HKU\S-1-5-21-1359419172-3491595909-2348629299-1000\...\BitTorrent) (Version: 7.9.2.32128 - BitTorrent Inc.)
BitTorrent (HKU\S-1-5-21-1359419172-3491595909-2348629299-1001\...\BitTorrent) (Version: 7.9.7.42331 - BitTorrent Inc.)
Blend for Visual Studio 2013 (x32 Version: 12.0.41002.1 - Microsoft Corporation) Hidden
Blend for Visual Studio 2013 ENU resources (x32 Version: 12.0.41002.1 - Microsoft Corporation) Hidden
Blend for Visual Studio SDK for .NET 4.5 (x32 Version: 3.0.40218.0 - Microsoft Corporation) Hidden
Blend for Visual Studio SDK for Silverlight 5 (x32 Version: 3.0.40218.0 - Microsoft Corporation) Hidden
Build Tools - amd64 (Version: 12.0.21005 - Microsoft Corporation) Hidden
Build Tools - x86 (x32 Version: 12.0.21005 - Microsoft Corporation) Hidden
Build Tools Language Resources - amd64 (Version: 12.0.21005 - Microsoft Corporation) Hidden
Build Tools Language Resources - x86 (x32 Version: 12.0.21005 - Microsoft Corporation) Hidden
BurnAware Free 6.3 (HKLM-x32\...\BurnAware Free_is1) (Version:  - Burnaware)
Caesar 3 (HKLM-x32\...\Caesar 3) (Version:  - )
CDex - Open Source Digital Audio CD Extractor (HKLM-x32\...\CDex) (Version: 1.70.4.2009 - Georgy Berdyshev)
Citadels (HKU\S-1-5-21-1359419172-3491595909-2348629299-1000\...\Citadels) (Version:  - BroomStixInk)
Citadels (HKU\S-1-5-21-1359419172-3491595909-2348629299-1001\...\Citadels) (Version:  - BroomStixInk)
Civilization III (HKLM-x32\...\{0AD84416-63A4-4CF3-BDDF-8FA866711FB0}) (Version:  - )
CryptoPrevent (HKLM-x32\...\{5C5B24E7-4694-4049-A222-CCE7D3FAC63F}_is1) (Version:  - Foolish IT LLC)
Dev-C++ 5 beta 9 release (4.9.9.2) (HKLM-x32\...\Dev-C++) (Version:  - )
Diablo (HKLM-x32\...\Diablo) (Version:  - )
Diablo II (HKLM-x32\...\Diablo II) (Version:  - )
Dotfuscator and Analytics Community Edition (x32 Version: 5.5.4954.46574 - PreEmptive Solutions) Hidden
Energy Management (HKLM-x32\...\InstallShield_{D0956C11-0F60-43FE-99AD-524E833471BB}) (Version: 6.0.1.6 - Lenovo)
Energy Management (x32 Version: 6.0.1.6 - Lenovo) Hidden
Entity Framework Tools for Visual Studio 2013 (HKLM-x32\...\{08AEF86A-1956-4846-B906-B01350E96E30}) (Version: 12.0.20912.0 - Microsoft Corporation)
Èý¹úɱ (HKLM-x32\...\Èý¹úɱ) (Version: 1.1.4.0 - º¼Öݱ߷æÍøÂç¿Æ¼¼ÓÐÏÞ¹«Ë¾)
Èý¹úÖ¾11ÍþÁ¦¼ÓÇ¿°æNETSHOWÍêÕû°æ (HKLM-x32\...\Èý¹úÖ¾11ÍþÁ¦¼ÓÇ¿°æNETSHOWÍêÕû°æ_is1) (Version:  - NETSHOW)
FL Studio 11 (HKLM-x32\...\FL Studio 11) (Version:  - Image-Line)
FlowStone FL 3.0 (HKLM-x32\...\FlowStone) (Version:  - )
GameMaker 8.1 (HKU\S-1-5-21-1359419172-3491595909-2348629299-1001\...\GameMaker81) (Version:  - )
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 56.0.2924.87 - Google Inc.)
Google Toolbar for Internet Explorer (HKLM-x32\...\{2318C2B1-4965-11d4-9B18-009027A5CD4F}) (Version: 7.5.8231.2252 - Google Inc.)
Google Toolbar for Internet Explorer (x32 Version: 1.0.0 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.32.7 - Google Inc.) Hidden
Gothic (HKLM-x32\...\{BBF10B37-4ED3-11D5-A818-00500435FC18}) (Version:  - )
Gothic (HKLM-x32\...\Gothic_is1) (Version:  - GOG.com)
Gothic 2 Gold (HKLM-x32\...\Gothic 2 Gold_is1) (Version:  - GOG.com)
Heroes of Might and Magic 2 GOLD (HKLM-x32\...\Heroes of Might and Magic 2 GOLD_is1) (Version:  - GOG.com)
Heroes of Might and Magic 4 Complete (HKLM-x32\...\Heroes of Might and Magic 4 Complete_is1) (Version:  - GOG.com)
Heroes of Might and Magic III Complete (HKLM-x32\...\Heroes of Might and Magic III Complete) (Version:  - )
Heroes of Might and Magic V Collector Edition (HKLM-x32\...\{DDB68A90-340C-42B9-B42B-D2CBED1B91DC}) (Version:  - )
HitmanPro 3.7 (HKLM\...\HitmanPro37) (Version: 3.7.15.281 - SurfRight B.V.)
HitmanPro.Alert 3 (HKLM\...\HitmanPro.Alert) (Version: 3.6.3.586 - SurfRight B.V.)
IIS 8.0 Express (HKLM\...\{7BF61FA9-BDFB-4563-98AD-FCB0DA28CCC7}) (Version: 8.0.1557 - Microsoft Corporation)
IIS Express Application Compatibility Database for x64 (HKLM\...\{9f4f4a9b-eec5-4906-92fe-d1f43ccf5c8d}.sdb) (Version:  - )
IIS Express Application Compatibility Database for x86 (HKLM\...\{fdfba1f3-74ae-4255-9c10-a0f552b4610f}.sdb) (Version:  - )
IL Download Manager (HKLM-x32\...\IL Download Manager) (Version:  - Image-Line)
IL Shared Libraries (HKLM-x32\...\IL Shared Libraries) (Version:  - Image-Line)
Intel(R) Control Center (HKLM-x32\...\{F8A9085D-4C7A-41a9-8A77-C8998A96C421}) (Version: 1.2.1.1007 - Intel Corporation)
Intel(R) Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 7.0.0.1118 - Intel Corporation)
Intel(R) Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 8.15.10.2538 - Intel Corporation)
Intel(R) Rapid Storage Technology (HKLM-x32\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 10.1.5.1001 - Intel Corporation)
Intel® Hardware Accelerated Execution Manager (HKLM\...\{7824FFE2-E5BE-4530-91AA-C1F442FD4A83}) (Version: 1.0.6 - Intel Corporation)
Internet Download Manager (HKLM-x32\...\Internet Download Manager) (Version:  - Tonec Inc.)
Java 7 Update 51 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86417051FF}) (Version: 7.0.510 - Oracle)
Java 7 Update 65 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83217051FF}) (Version: 7.0.650 - Oracle)
Java 8 Update 31 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218031F0}) (Version: 8.0.310 - Oracle Corporation)
Java 8 Update 45 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218045F0}) (Version: 8.0.450 - Oracle Corporation)
Java 8 Update 51 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218051F0}) (Version: 8.0.510 - Oracle Corporation)
Java 8 Update 60 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86418060F0}) (Version: 8.0.600.27 - Oracle Corporation)
Java 8 Update 65 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218065F0}) (Version: 8.0.650.17 - Oracle Corporation)
Java SE Development Kit 7 Update 51 (64-bit) (HKLM\...\{64A3A4F4-B792-11D6-A78A-00B0D0170510}) (Version: 1.7.0.510 - Oracle)
Java SE Development Kit 7 Update 7 (64-bit) (HKLM\...\{64A3A4F4-B792-11D6-A78A-00B0D0170070}) (Version: 1.7.0.70 - Oracle)
Java SE Development Kit 8 Update 60 (64-bit) (HKLM\...\{64A3A4F4-B792-11D6-A78A-00B0D0180600}) (Version: 8.0.600.27 - Oracle Corporation)
Java(TM) 6 Update 32 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83216032FF}) (Version: 6.0.320 - Oracle)
JavaScript Tooling (Version: 12.0.21005 - Microsoft Corporation) Hidden
JCreator LE 4.50 (HKLM-x32\...\JCreator LE_is1) (Version:  - Xinox Software)
JCreator Pro 5.00 (HKLM-x32\...\JCreator Pro_is1) (Version:  - Xinox Software)
LAME v3.99.3 (for Windows) (HKLM-x32\...\LAME_is1) (Version:  - )
LBOTS Top mouse Driver (HKLM-x32\...\{D4A3F178-321C-432F-A40F-CEA1C9CB357C}) (Version: 1.0 - Togran)
Lenovo Bluetooth with Enhanced Data Rate Software (HKLM\...\{436E0B79-2CFB-4E5F-9380-E17C1B25D0C5}) (Version: 6.3.0.7400 - Broadcom Corporation)
Lenovo EasyCamera (HKLM-x32\...\{E0A7ED39-8CD6-4351-93C3-69CCA00D12B4}) (Version: 6.1.7600.0083 - Realtek Semiconductor Corp.)
Lenovo EE Boot Optimizer (HKLM\...\Lenovo EE Boot Optimizer) (Version: 0.0.1.5 - Lenovo)
Lenovo MuteSync (HKLM-x32\...\InstallShield_{C39EF9B4-0C4F-4D48-8665-8FD45BFF3961}) (Version: 1.0.0.3 - Lenovo)
Lenovo MuteSync (x32 Version: 1.0.0.3 - Lenovo) Hidden
Lenovo OneKey Recovery (HKLM-x32\...\InstallShield_{46F4D124-20E5-4D12-BE52-EC177A7A4B42}) (Version: 7.0.1628 - CyberLink Corp.)
Lenovo OneKey Recovery (Version: 7.0.1628 - CyberLink Corp.) Hidden
Lenovo YouCam (HKLM-x32\...\InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}) (Version: 3.1.3603 - CyberLink Corp.)
Lenovo YouCam (x32 Version: 3.1.3603 - CyberLink Corp.) Hidden
Lenovo_Wireless_Driver (HKLM-x32\...\{28ABE740-47F3-441B-9437-852F6A64EFF8}) (Version: 1.02.01 - Lenovo)
Little Fighter 2 version 2.0a (HKLM-x32\...\Little Fighter 2 version 2.0a) (Version:  - )
LocalESPC Dev12 (x32 Version: 8.100.25984 - Microsoft Corporation) Hidden
LocalESPCui for en-us Dev12 (x32 Version: 8.100.25984 - Microsoft) Hidden
LockHunter 3.1, 32/64 bit (HKLM\...\LockHunter_is1) (Version:  - Crystal Rich Ltd)
Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)
McAfee WebAdvisor (HKLM-x32\...\{35ED3F83-4BDC-4c44-8EC6-6A8301C7413A}) (Version: 4.0.228 - McAfee, Inc.)
MDF to ISO version 1.0 (HKLM-x32\...\{79DDA36F-B19E-4293-A4F2-FA3EC1C06E6E}_is1) (Version: 1.0 - mdftoiso.com)
Microsoft .NET Framework 4.5 Multi-Targeting Pack (HKLM-x32\...\{56E962F0-4FB0-3C67-88DB-9EAA6EEFC493}) (Version: 4.5.50710 - Microsoft Corporation)
Microsoft .NET Framework 4.5 SDK (HKLM-x32\...\{4AE57014-05C4-4864-A13D-86517A7E1BA4}) (Version: 4.5.50710 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 Multi-Targeting Pack (ENU) (HKLM-x32\...\{D3517C62-68A5-37CF-92F7-93C029A89681}) (Version: 4.5.50932 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 Multi-Targeting Pack (HKLM-x32\...\{6A0C6700-EA93-372C-8871-DCCF13D160A4}) (Version: 4.5.50932 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 SDK (HKLM-x32\...\{19A5926D-66E1-46FC-854D-163AA10A52D3}) (Version: 4.5.51641 - Microsoft Corporation)
Microsoft Age of Empires Gold (HKLM-x32\...\Age of Empires Gold 1.0) (Version:  - )
Microsoft AppLocale (HKLM-x32\...\{394BE3D9-7F57-4638-A8D1-1D88671913B7}) (Version: 1.0.0 - MS)
Microsoft Help Viewer 2.1 (HKLM-x32\...\Microsoft Help Viewer 2.1) (Version: 2.1.21005 - Microsoft Corporation)
Microsoft Office 2010 (HKLM-x32\...\{95140000-0070-0000-0000-0000000FF1CE}) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Office Click-to-Run 2010 (HKLM-x32\...\Office14.Click2Run) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Office Professional Plus 2010 (HKLM-x32\...\Office14.PROPLUS) (Version: 14.0.4734.1000 - Microsoft Corporation)
Microsoft PowerPoint Viewer (HKLM-x32\...\{95140000-00AF-0409-0000-0000000FF1CE}) (Version: 14.0.6029.1000 - Microsoft Corporation)
Microsoft Silverlight (HKLM-x32\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.20513.0 - Microsoft Corporation)
Microsoft Silverlight 5 SDK (HKLM-x32\...\{E1FBB3D4-ADB0-4949-B101-855DA061C735}) (Version: 5.0.61118.0 - Microsoft Corporation)
Microsoft SQL Server 2012 Command Line Utilities  (HKLM\...\{58FED865-4F13-408D-A5BF-996019C4B936}) (Version: 11.1.3000.0 - Microsoft Corporation)
Microsoft SQL Server 2012 Data-Tier App Framework  (HKLM-x32\...\{1B876496-B3A2-4D22-9B12-B608A3FD4B8B}) (Version: 11.1.2902.0 - Microsoft Corporation)
Microsoft SQL Server 2012 Data-Tier App Framework  (x64) (HKLM\...\{A6BA243E-85A3-4635-A269-32949C98AC7F}) (Version: 11.1.2902.0 - Microsoft Corporation)
Microsoft SQL Server 2012 Express LocalDB  (HKLM\...\{6C026A91-640F-4A23-8B68-05D589CC6F18}) (Version: 11.1.3000.0 - Microsoft Corporation)
Microsoft SQL Server 2012 Management Objects  (HKLM-x32\...\{2F7DBBE6-8EBC-495C-9041-46A772F4E311}) (Version: 11.1.3000.0 - Microsoft Corporation)
Microsoft SQL Server 2012 Management Objects  (x64) (HKLM\...\{43A5C316-9521-49C3-B9B6-FCE5E1005DF0}) (Version: 11.1.3000.0 - Microsoft Corporation)
Microsoft SQL Server 2012 Native Client  (HKLM\...\{D411E9C9-CE62-4DBF-9D92-4CB22B750ED5}) (Version: 11.1.3000.0 - Microsoft Corporation)
Microsoft SQL Server 2012 Transact-SQL ScriptDom  (HKLM\...\{54C5041B-0E91-4E92-8417-AAA12493C790}) (Version: 11.1.3000.0 - Microsoft Corporation)
Microsoft SQL Server 2012 T-SQL Language Service  (HKLM-x32\...\{04DD7AF4-A6D3-4E30-9BB9-3B3670719234}) (Version: 11.1.3000.0 - Microsoft Corporation)
Microsoft SQL Server Compact 4.0 SP1 x64 ENU (HKLM\...\{78909610-D229-459C-A936-25D92283D3FD}) (Version: 4.0.8876.1 - Microsoft Corporation)
Microsoft SQL Server Data Tools - enu (12.0.30919.1) (HKLM-x32\...\{0D7FCBFB-F478-4D32-901C-83F0BF5A3501}) (Version: 12.0.30919.1 - Microsoft Corporation)
Microsoft SQL Server Data Tools Build Utilities - enu (12.0.30919.1) (HKLM-x32\...\{6781FF9B-E87D-4A03-9373-A55A288B83FA}) (Version: 12.0.30919.1 - Microsoft Corporation)
Microsoft SQL Server System CLR Types (HKLM-x32\...\{A47FD1BF-A815-4A76-BE65-53A15BD5D25D}) (Version: 10.50.1600.1 - Microsoft Corporation)
Microsoft SQL Server System CLR Types (x64) (HKLM\...\{4701DEDE-1888-49E0-BAE5-857875924CA2}) (Version: 10.50.1600.1 - Microsoft Corporation)
Microsoft System CLR Types for SQL Server 2012 (HKLM-x32\...\{070C38AC-05CE-43DF-9A20-141332F6AB2B}) (Version: 11.1.3366.16 - Microsoft Corporation)
Microsoft System CLR Types for SQL Server 2012 (x64) (HKLM\...\{05FF8209-C4F1-4C77-BC28-791653156D20}) (Version: 11.1.3366.16 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM-x32\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319 (HKLM-x32\...\{196BB40D-1578-3D01-B289-BEFC77A11A1E}) (Version: 10.0.30319 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.60610 (HKLM-x32\...\{a1909659-0a08-4554-8af1-2175904903a1}) (Version: 11.0.60610.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.60610 (HKLM-x32\...\{95716cce-fc71-413f-8ad5-56c2892d4b3a}) (Version: 11.0.60610.1 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.40820 - Microsoft Corporation)
Microsoft Visual Studio Ultimate 2013 (HKLM-x32\...\{cd09eea6-d0b3-4246-bb80-e047ceadf61f}) (Version: 12.0.21005.13 - Microsoft Corporation)
Microsoft Web Deploy 3.5 (HKLM\...\{3674F088-9B90-473A-AAC3-20A00D8D810C}) (Version: 3.1237.1762 - Microsoft Corporation)
Microsoft Windows Application Compatibility Database (HKLM\...\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb) (Version:  - )
MySQL Connector C++ 1.1.3 (HKLM\...\{5C7A1ED6-DC5F-4017-B363-3E80644B4BD0}) (Version: 1.1.3 - Oracle and/or its affiliates)
MySQL Connector J (HKLM-x32\...\{E8528562-D612-4331-8A5B-57532D89716B}) (Version: 5.1.31 - Oracle Corporation)
MySQL Connector Net 6.8.3 (HKLM-x32\...\{38157422-F952-42F7-88AA-CC16A63CD109}) (Version: 6.8.3 - Oracle)
MySQL Connector Python v1.2.2 for Python v3.3 (HKLM-x32\...\{345018CB-60E7-4CC9-8DBA-6E908B8882E8}) (Version: 1.2.2 - Oracle)
MySQL Connector/C 6.1 (HKLM\...\{4E2AAB30-1E42-4ACA-B1A9-3AE8629D0C89}) (Version: 6.1.5 - Oracle Corporation)
MySQL Connector/ODBC 5.3 (HKLM\...\{43E572BC-B21F-4BEC-94CA-2D4AA6F53246}) (Version: 5.3.2 - Oracle Corporation)
MySQL Documents 5.6 (HKLM-x32\...\{790BC099-47CC-4215-9BF3-B20AC3D348B2}) (Version: 5.6.19 - Oracle Corporation)
MySQL Examples and Samples 5.6 (HKLM-x32\...\{8934A43E-D901-4337-8313-0C084FBB8ADE}) (Version: 5.6.19 - Oracle Corporation)
MySQL For Excel 1.2.1 (HKLM-x32\...\{EC5F887C-FCEE-45D7-BF7B-C0EA767CC45B}) (Version: 1.2.1 - Oracle)
MySQL for Visual Studio 1.1.4 (HKLM-x32\...\{3B89BFD4-8AD2-4177-A742-EB5310C0C7F3}) (Version: 1.1.4 - Oracle)
MySQL Installer (HKLM-x32\...\{7FDEB19B-06E3-4FA3-9FE7-D792939DCD55}) (Version: 1.3.6.0 - Oracle Corporation)
MySQL Notifier 1.1.5 (HKLM-x32\...\{DB02F4B3-3FC4-4FED-B2A2-7CDCF88D87D3}) (Version: 1.1.5 - Oracle)
MySQL Server 5.6 (HKLM\...\{FB2E13E5-05CE-4C27-B645-A6FB7D0AB412}) (Version: 5.6.19 - Oracle Corporation)
MySQL Utilities (HKLM-x32\...\{AD74E509-A826-4C30-93C3-73E2DFE271F2}) (Version: 1.4.3 - Oracle Corporation)
MySQL Workbench 6.1 CE (HKLM-x32\...\{AD95295B-0279-43B6-A873-F12A1D1CD146}) (Version: 6.1.7 - Oracle Corporation)
NetBeans IDE 7.2 (HKLM\...\nbi-nb-base-7.2.0.0.201207171143) (Version: 7.2 - NetBeans.org)
NetBeans IDE 7.4 (HKLM\...\nbi-nb-base-7.4.0.0.201310111528) (Version: 7.4 - NetBeans.org)
Notepad++ (HKLM-x32\...\Notepad++) (Version: 6.6.9 - Notepad++ Team)
NVIDIA 3D Vision Driver 267.53 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision) (Version: 267.53 - NVIDIA Corporation)
NVIDIA Graphics Driver 267.53 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 267.53 - NVIDIA Corporation)
Onekey Theater (HKLM-x32\...\InstallShield_{D4B060B9-AD4A-4152-9D99-28B93C615AFE}) (Version: 2.0.2.8 - Lenovo)
Onekey Theater (x32 Version: 2.0.2.8 - Lenovo) Hidden
Open XML SDK 2.5 for Microsoft Office (x32 Version: 2.5.5631 - Microsoft Corporation) Hidden
PandoraRecovery (Remove Only) (HKLM-x32\...\PandoraRecovery) (Version:  - )
PARI (remove only) (HKLM-x32\...\PARI) (Version:  - )
PCSX2 - Playstation 2 Emulator (HKLM-x32\...\pcsx2-r4600) (Version:  - )
PDF Settings CS5 (x32 Version: 10.0 - Adobe Systems Incorporated) Hidden
PDFCreator (HKLM-x32\...\{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}) (Version: 1.0.2 - Frank Heindörfer, Philip Chinery)
Photo Pos Pro (HKLM-x32\...\Photo Pos Pro) (Version: 1.88 - PowerOfSoftware Ltd.)
Power2Go (HKLM-x32\...\{40BF1E83-20EB-11D8-97C5-0009C5020658}) (Version: 5.6.0.7303 - CyberLink Corp.)
PreEmptive Analytics Visual Studio Components (x32 Version: 1.2.3197.1 - PreEmptive Solutions) Hidden
Prerequisites for SSDT  (HKLM-x32\...\{35C1D9D6-87C0-46A3-B1B4-EDBCC063221C}) (Version: 11.1.3000.0 - Microsoft Corporation)
PxMergeModule (x32 Version: 1.00.0000 - Your Company Name) Hidden
Python 3.3.3 (64-bit) (HKLM\...\{e9d90870-ab19-32a8-aa93-f8348ba21d05}) (Version: 3.3.3150 - Python Software Foundation)
Python 3.5.1 (32-bit) (HKU\S-1-5-21-1359419172-3491595909-2348629299-1001\...\{c39d559b-aa83-4476-ba20-988a35a1199a}) (Version: 3.5.1150.0 - Python Software Foundation)
Python 3.5.1 Core Interpreter (32-bit) (x32 Version: 3.5.1150.0 - Python Software Foundation) Hidden
Python 3.5.1 Development Libraries (32-bit) (x32 Version: 3.5.1150.0 - Python Software Foundation) Hidden
Python 3.5.1 Documentation (32-bit) (x32 Version: 3.5.1150.0 - Python Software Foundation) Hidden
Python 3.5.1 Executables (32-bit) (x32 Version: 3.5.1150.0 - Python Software Foundation) Hidden
Python 3.5.1 Launcher (32-bit) (HKLM-x32\...\{17778F7B-FB5A-4A93-9719-D75BAF673498}) (Version: 3.5.150.0 - Python Software Foundation)
Python 3.5.1 pip Bootstrap (32-bit) (x32 Version: 3.5.1150.0 - Python Software Foundation) Hidden
Python 3.5.1 Standard Library (32-bit) (x32 Version: 3.5.1150.0 - Python Software Foundation) Hidden
Python 3.5.1 Tcl/Tk Support (32-bit) (x32 Version: 3.5.1150.0 - Python Software Foundation) Hidden
Python 3.5.1 Test Suite (32-bit) (x32 Version: 3.5.1150.0 - Python Software Foundation) Hidden
Python 3.5.1 Utility Scripts (32-bit) (x32 Version: 3.5.1150.0 - Python Software Foundation) Hidden
Python Tools Redirection Template (x32 Version: 1.1 - Microsoft Corporation) Hidden
Qemu 0.7.2 (remove only) (HKLM-x32\...\Qemu) (Version:  - )
Quincy 2005 v. 1.3 (HKLM-x32\...\{8F1850CA-B67C-4888-A828-06AC1441C985}_is1) (Version:  - Codecutter)
Raptor - Call of the Shadows (HKLM-x32\...\Raptor - Call of the Shadows_is1) (Version:  - GOG.com)
RealDownloader (HKLM-x32\...\{A88E1685-1986-4A86-8E88-5FE1E727D026}) (Version: 1.2.0 - RealNetworks, Inc.)
Realtek Ethernet Controller Driver For Windows 7 (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.23.623.2010 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6301 - Realtek Semiconductor Corp.)
Realtek USB 2.0 Reader Driver (HKLM-x32\...\{62BBB2F0-E220-4821-A564-730807D2C34D}) (Version: 6.1.7601.39015 - Realtek Semiconductor Corp.)
Rome - Total War(TM) (HKLM-x32\...\InstallShield_{A642BB6B-CA1D-4142-8DD4-318C3F3DC834}) (Version: 1.0 - Activision)
Rome - Total War(TM) (x32 Version: 1.0 - Activision) Hidden
ShadowExplorer 0.9 (HKLM-x32\...\ShadowExplorer_is1) (Version: 0.9.462.0 - ShadowExplorer.com)
SharePoint Client Components (Version: 15.0.4481.1505 - Microsoft Corporation) Hidden
Sid Meier's Civilization 4 - Beyond the Sword (HKU\S-1-5-21-1359419172-3491595909-2348629299-1001\...\{32E4F0D2-C135-475E-A841-1D59A0D22989}) (Version: 3.17 - Firaxis Games)
Sid Meier's Civilization 4 - Warlords (HKU\S-1-5-21-1359419172-3491595909-2348629299-1000\...\{3E4B349F-10B5-4586-9D99-489A90A8B228}) (Version: 1.00.0000 - Firaxis Games)
Sid Meier's Civilization 4 - Warlords (HKU\S-1-5-21-1359419172-3491595909-2348629299-1001\...\{3E4B349F-10B5-4586-9D99-489A90A8B228}) (Version: 2.13 - Firaxis Games)
Sid Meier's Civilization 4 (HKU\S-1-5-21-1359419172-3491595909-2348629299-1000\...\{CFBCE791-2D53-4FCE-B3FB-D6E01F4112E8}) (Version: 1.00.0000 - Firaxis Games)
Sid Meier's Civilization 4 (HKU\S-1-5-21-1359419172-3491595909-2348629299-1001\...\{CFBCE791-2D53-4FCE-B3FB-D6E01F4112E8}) (Version: 1.74 - Firaxis Games)
Sid Meier's Civilization 4 (x32 Version: 1.00.0000 - Firaxis Games) Hidden
Sid Meier's Pirates! (HKLM-x32\...\InstallShield_{1632FD86-1BA4-4FC4-8B25-A8C655D63F68}) (Version: 2.00.0000 - Firaxis Games)
Sid Meier's Pirates! (x32 Version: 2.00.0000 - Firaxis Games) Hidden
Sierra Utilities (HKLM-x32\...\Sierra Utilities) (Version:  - )
Skype Click to Call (HKLM-x32\...\{873F8E7C-10E6-449F-BD7E-5FBA7C8E1C9B}) (Version: 8.5.0.9167 - Microsoft Corporation)
Skype™ 6.18 (HKLM-x32\...\{7A3C7E05-EE37-47D6-99E1-2EB05A3DA3F7}) (Version: 6.18.106 - Skype Technologies S.A.)
Skyscraper 2.0 Alpha 7 (HKLM-x32\...\Skyscraper) (Version: 2.0 Alpha 7 - Ryan Thoryk)
Snagit 11 (HKLM-x32\...\{F8E3C768-71F3-11E1-9DF7-70804824019B}) (Version: 11.0.1 - TechSmith Corporation)
SRS Premium Sound Control Panel (HKLM\...\{F3C66EC8-2F33-452D-9CFF-E8C886B3ECC4}) (Version: 1.11.0000 - SRS Labs, Inc.)
Starcraft (HKLM-x32\...\Starcraft) (Version:  - )
StarCraft II (HKLM-x32\...\StarCraft II) (Version: 1.0.0.16117 - Blizzard Entertainment)
swMSM (x32 Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 15.3.2.0 - Synaptics Incorporated)
System Explorer 7.0.0 (HKLM-x32\...\{40F485F7-6478-4896-B0D5-F94BE677EB78}_is1) (Version:  - Mister Group)
Team Explorer for Microsoft Visual Studio 2013 (x32 Version: 12.0.21005 - Microsoft Corporation) Hidden
The KMPlayer (remove only) (HKLM-x32\...\The KMPlayer) (Version: 3.6.0.87 - KMP Media co., Ltd)
Unity Web Player (HKU\S-1-5-21-1359419172-3491595909-2348629299-1000\...\UnityWebPlayer) (Version:  - Unity Technologies ApS)
Unity Web Player (HKU\S-1-5-21-1359419172-3491595909-2348629299-1001\...\UnityWebPlayer) (Version:  - Unity Technologies ApS)
Update for  (KB2504637) (HKLM-x32\...\{CFEF48A8-BFB8-3EAC-8BA5-DE4F8AA267CE}.KB2504637) (Version: 1 - Microsoft Corporation)
UserGuide (HKLM-x32\...\InstallShield_{F07C2CF8-4C53-4EC3-8162-A6221E36EB88}) (Version: 1.0.0.6 - Lenovo)
UserGuide (x32 Version: 1.0.0.6 - Lenovo) Hidden
VeriFace (HKLM-x32\...\VeriFace) (Version: 4.0.1.0126 - Lenovo)
VirtualCloneDrive (HKLM-x32\...\VirtualCloneDrive) (Version:  - Elaborate Bytes)
VmciSockets (Version: 9.1.54.1 - VMware, Inc.) Hidden
VMware Player (HKLM-x32\...\VMware_Player) (Version: 4.0.2.28060 - VMware, Inc)
VMware Player (x32 Version: 4.0.2.28060 - VMware, Inc.) Hidden
Warcraft II BNE (HKLM-x32\...\Warcraft II BNE) (Version:  - )
Warcraft III (HKLM-x32\...\Warcraft III) (Version:  - )
Warcraft III: All Products (HKU\S-1-5-21-1359419172-3491595909-2348629299-1000\...\Warcraft III) (Version:  - )
Warcraft III: All Products (HKU\S-1-5-21-1359419172-3491595909-2348629299-1001\...\Warcraft III) (Version:  - )
WCF Data Services 5.6.0 Runtime (x32 Version: 5.6.61587.0 - Microsoft Corporation) Hidden
WCF Data Services Tools for Microsoft Visual Studio 2013 (x32 Version: 5.6.61587.0 - Microsoft Corporation) Hidden
WCF RIA Services V1.0 SP2 (HKLM-x32\...\{5D8DD6A8-C4D7-4554-93F9-F1CC28C72600}) (Version: 4.1.62812.0 - Microsoft Corporation)
Windows Driver Package - Lenovo (ACPIVPC) System  (12/02/2010 6.1.0.1) (HKLM\...\EA12B1FB53CE4E387C31A85236C41EF559B5E392) (Version: 12/02/2010 6.1.0.1 - Lenovo)
Windows Live Mesh ActiveX Control for Remote Connections (HKLM-x32\...\{2902F983-B4C1-44BA-B85D-5C6D52E2C441}) (Version: 15.4.5722.2 - Microsoft Corporation)
Windows Live Messenger (HKLM-x32\...\{33F8EAD4-B6EC-498B-B487-696B973D1C0C}) (Version: 8.5.1235.0517 - Microsoft Corporation)
Windows Live Sign-in Assistant (HKLM-x32\...\{49672EC2-171B-47B4-8CE7-50D7806360D7}) (Version: 4.100.313.1 - Microsoft Corporation)
WinRAR 4.11 (32-bit) (HKLM-x32\...\WinRAR archiver) (Version: 4.11.0 - win.rar GmbH)
Workflow Manager Client 1.0 (Version: 2.0.30813.2 - Microsoft Corporation) Hidden
Workflow Manager Tools 1.0 for Visual Studio (Version: 2.0.30725.1 - Microsoft Corporation) Hidden
XAMPP (HKLM-x32\...\xampp) (Version: 5.6.3-0 - Bitnami)
Zemana AntiMalware (HKLM-x32\...\{8F0CD7D1-42F3-4195-95CD-833578D45057}_is1) (Version: 2.72.101 - Zemana Ltd.)
微软设备健康助手 (HKLM-x32\...\{2EAC4B0F-6E44-4FF6-AA5E-5D100F2BAA59}) (Version: 1.5.3.1 - Microsoft Corporation)
用于远程连接的 Windows Live Mesh ActiveX 控件(简体中文) (HKLM-x32\...\{F992409C-9D10-4AE2-BAEB-B5409AD3785E}) (Version: 15.4.5722.2 - Microsoft Corporation)
谷歌拼音输入法 2.7 (HKLM\...\GooglePinyin2) (Version:  - Google Inc.)
適用遠端連線的 Windows Live Mesh ActiveX 控制項 (HKLM-x32\...\{622DE1BE-9EDE-49D3-B349-29D64760342A}) (Version: 15.4.5722.2 - Microsoft Corporation)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {061F0FA4-D62B-44E4-8441-773653549120} - System32\Tasks\AutoKMSDaily => C:\windows\AutoKMS.exe
Task: {16F62F4A-E3A7-4EB1-98E1-254E5B8F2293} - System32\Tasks\MySQLNotifierTask => C:\Program Files (x86)\MySQL\MySQL Notifier 1.1.5\MySQLNotifier.exe [2013-11-25] (Oracle Corporation)
Task: {2279A256-0F7E-4964-9298-E7C5C09048C0} - System32\Tasks\Adobe Flash Player Updater => C:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2015-12-09] (Adobe Systems Incorporated)
Task: {2625E688-1E3A-4151-86D3-E3E54549F06A} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-30] (Google Inc.)
Task: {2F57269B-1E09-4E2D-AB1E-B0FDAC7D279C} - \Microsoft\Windows\WindowsBackup\ConfigNotification -> No File <==== ATTENTION
Task: {3009AF14-0182-4478-945F-85E9AA16B038} - System32\Tasks\Google Pinyin Daemon => C:\Program Files (x86)\Google\Google Pinyin 2\GooglePinyinDaemon.exe [2016-01-22] (Google Inc.) <==== ATTENTION
Task: {32FB1136-CAA3-4F0A-8005-554131A750F4} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2015-10-28] (Adobe Systems Incorporated)
Task: {64C7979A-5677-418A-B543-9F4DD7549588} - System32\Tasks\微软设备健康助手开机检测 => C:\Program Files (x86)\Microsoft Device Health\DhUpdate.exe [2015-01-30] (Microsoft Corporation)
Task: {6CD14696-8535-42D0-974D-1536D7A00FD2} - System32\Tasks\RealDownloaderRealUpgradeScheduledTaskS-1-5-21-1359419172-3491595909-2348629299-1001 => C:\Program Files (x86)\RealNetworks\RealDownloader\realupgrade.exe [2012-08-09] (RealNetworks, Inc.)
Task: {76999E7D-650B-47C5-A803-462E033DC6F8} - \Microsoft\Windows\Windows Activation Technologies\ValidationTaskDeadline -> No File <==== ATTENTION
Task: {780739B0-1898-4497-A76F-8C4C44AC6725} - System32\Tasks\{D4699E34-BCB4-48AB-A90E-DFB83F4644D6} => pcalua.exe -a D:\CYZ\Download\HijackThis.exe -d D:\CYZ\Download
Task: {7AB34FAD-57EE-4637-BCBE-B4E54C9394E3} - \Microsoft\Windows\Windows Activation Technologies\ValidationTask -> No File <==== ATTENTION
Task: {80794040-F5DF-4AD0-BF42-2FEB231848A5} - System32\Tasks\微软设备健康助手设备检查 => C:\Program Files (x86)\Microsoft Device Health\PluginManager\DhPluginMgrScheduler.exe [2015-01-30] (Microsoft Corporation)
Task: {86A97C22-955C-4417-A4C6-800FD0C6D6B7} - System32\Tasks\AutoKMS => C:\windows\AutoKMS.exe
Task: {8C715FA0-C36A-4545-9877-121863035BD6} - System32\Tasks\{91B8B184-2936-4DD2-A034-A42E0F5BEEC1} => pcalua.exe -a "C:\Users\Yu Zheng\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9XXUN38F\JavaSetup8u45.exe" -d "C:\Users\Yu Zheng\Desktop"
Task: {9728A154-F652-455C-BB4F-BE8F20683618} - System32\Tasks\GoogleUpdateTaskMachineUA1d15c13b819c33a => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-30] (Google Inc.)
Task: {994C86AD-A929-4B2C-88A0-4E25A107A029} - System32\Tasks\Microsoft\Windows\SystemRestore\SR => %windir%\system32\srtasks.exe
Task: {9D53F332-5B40-45EE-AE38-205E7E4A1325} - System32\Tasks\微软设备健康助手自动更新 => C:\Program Files (x86)\Microsoft Device Health\DhUpdate.exe [2015-01-30] (Microsoft Corporation)
Task: {A349DFAE-5664-4BE5-997B-6462AA444CBA} - System32\Tasks\RealDownloaderDownloaderScheduledTaskS-1-5-21-1359419172-3491595909-2348629299-1001 => C:\Program Files (x86)\RealNetworks\RealDownloader\recordingmanager.exe [2012-08-09] (RealNetworks, Inc.)
Task: {A6AF9377-77CE-47AB-AD7D-EC32CAD0C82D} - System32\Tasks\Microsoft\Windows\Location\Notifications => %windir%\System32\LocationNotificationWindows.exe
Task: {A825F8D7-5378-4292-B491-4BF4BDAF15E3} - System32\Tasks\RealDownloaderRealUpgradeLogonTaskS-1-5-21-1359419172-3491595909-2348629299-1001 => C:\Program Files (x86)\RealNetworks\RealDownloader\realupgrade.exe [2012-08-09] (RealNetworks, Inc.)
Task: {ABFC1D8E-7FEA-4BB3-B2A4-F9667AABE67D} - System32\Tasks\{77896C98-A6A7-4C08-B5CA-2A930F8E447D} => pcalua.exe -a "C:\Users\Yu Zheng\Downloads\Age of Empires\Age of empires\setup.exe" -d "C:\Users\Yu Zheng\Downloads\Age of Empires\Age of empires"
Task: {AC4E5ACF-89F7-4220-BA21-81EE183975E2} - \Microsoft\Windows\Application Experience\AitAgent -> No File <==== ATTENTION
Task: {C789A7BD-CCEF-4D8B-B0C3-5A0B46828356} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-30] (Google Inc.)
Task: {CEE64558-E1A7-4D9D-80A7-2001912BE5B5} - \Microsoft\Windows\MemoryDiagnostic\CorruptionDetector -> No File <==== ATTENTION
Task: {D9A94517-9828-4988-9CD4-2E35D08510E4} - System32\Tasks\MirageAgent => C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe [2010-12-05] (CyberLink)
Task: {ECE84F5B-62B7-451F-8EE6-6A5D75D339CE} - System32\Tasks\{FEDBD757-808D-4119-8142-1D2D455C93F7} => pcalua.exe -a "C:\Users\Yu Zheng\Downloads\www.sanguogame.com.cn__san5dos.exe" -d "C:\Users\Yu Zheng\Downloads"
Task: {F14C8BFF-A327-47EE-99BC-03101DE8C562} - System32\Tasks\GoogleUpdateTaskMachineCore1d15c13b7cb35d1 => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-30] (Google Inc.)
Task: {FA2BC0A6-8D4B-458A-85C8-2B8C72487513} - \Microsoft\Windows\MemoryDiagnostic\DecompressionFailureDetector -> No File <==== ATTENTION
Task: {FF09A2C6-F287-4FEE-A4D4-65C0068A6293} - System32\Tasks\AdobeAAMUpdater-1.0-YuZheng-PC-Anderson => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [2011-03-30] (Adobe Systems Incorporated)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\windows\Tasks\Adobe Flash Player Updater.job => C:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\windows\Tasks\AutoKMS.job => C:\windows\AutoKMS.exe
Task: C:\windows\Tasks\AutoKMSDaily.job => C:\windows\AutoKMS.exe
Task: C:\windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\windows\Tasks\微软设备健康助手开机检测.job => C:\Program Files (x86)\Microsoft Device Health\DhUpdate.exe
/EnableDH  SYSTEM H此任务用于微软设备健康助手的状态检测和自我修复。了解更多请查阅hxxp:/support.microsoft.com
Task: C:\windows\Tasks\微软设备健康助手自动更新.job => C:\Program Files (x86)\Microsoft Device Health\DhUpdate.exe   SYSTEM Z此服务属于微软设备健康助手用于获取最新的版本有助于提高设备健康度及保障支付安全。了解更多请查阅hxxp:/support.microsoft.com
Task: C:\windows\Tasks\微软设备健康助手设备检查.job => C:\Program Files (x86)\Microsoft Device Health\PluginManager\DhPluginMgrScheduler.exe   SYSTEM C此任务用于微软设备健康助手的设备检查。了解更多请查阅hxxp:/support.microsoft.com

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

ShortcutWithArgument: C:\Users\Yu Zheng\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\水浒传之梁山好汉\游戏无法运行.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> "hxxp://www.paopaoche.net/?err"
ShortcutWithArgument: C:\Users\Yu Zheng\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\水浒传2天导108星\游戏无法运行.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> " hxxp://www.962.net/app/downhelp.html"

==================== Loaded Modules (Whitelisted) ==============

2012-04-30 21:12 - 2005-03-12 01:07 - 00087040 _____ () C:\windows\System32\pdfcmnnt.dll
2012-08-09 13:02 - 2012-08-09 13:02 - 00038608 _____ () C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe
2011-02-17 01:56 - 2011-02-17 01:56 - 00202144 _____ () C:\Program Files (x86)\Lenovo\Onekey Theater\ActiveDetect64.dll
2011-02-17 02:01 - 2011-02-17 02:01 - 00156576 _____ () C:\Program Files (x86)\Lenovo\Onekey Theater\WindowsApiHookDll64.dll
2010-01-09 20:17 - 2010-01-09 20:17 - 04254560 _____ () C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF
2010-01-21 01:40 - 2010-01-21 01:40 - 08794464 _____ () C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll
2011-12-27 20:20 - 2011-12-27 20:20 - 01508192 _____ () C:\windows\system32\IcnOvrly.dll
2011-12-27 20:20 - 2011-12-27 20:20 - 00628064 _____ () C:\windows\system32\SimpleExt.dll
2012-04-29 21:59 - 2012-02-17 20:55 - 00193536 _____ () C:\Program Files (x86)\WinRAR\rarext64.dll
2014-05-12 17:49 - 2014-05-12 17:49 - 00222720 _____ () C:\Program Files (x86)\Notepad++\NppShell_06.dll
2017-02-24 12:54 - 2017-02-24 12:54 - 00154480 _____ () C:\Program Files (x86)\Zemana AntiMalware\ZAMShellExt64.dll
2010-12-15 02:05 - 2010-12-15 02:05 - 00173856 _____ () C:\Program Files\Lenovo\Bluetooth Software\BTKeyInd.dll
2011-11-03 13:32 - 2011-09-26 00:36 - 00094208 _____ () C:\windows\System32\IccLibDll_x64.dll
2007-12-13 03:08 - 2007-12-13 03:08 - 01401856 _____ () C:\Acer\Empowering Technology\eDataSecurity\x64\libeay32.dll
2009-04-13 14:48 - 2009-04-13 14:48 - 00382000 _____ () C:\Acer\Empowering Technology\eDataSecurity\x64\ShowErrMsg.dll
2011-12-27 20:18 - 2011-12-27 20:18 - 00100256 _____ () C:\Program Files (x86)\Lenovo\Onekey Theater\OnekeySupport.exe
2008-12-20 11:20 - 2011-12-27 20:31 - 00054088 _____ () C:\Program Files (x86)\Lenovo\Energy Management\KbdHook.dll
2008-12-20 11:20 - 2011-12-27 20:31 - 00054088 _____ () C:\Program Files (x86)\Lenovo\Energy Management\HookLib.dll
2016-01-22 03:47 - 2016-01-22 03:47 - 00846360 _____ () C:\Program Files (x86)\Google\Google Pinyin 2\GooglePinyinService.exe
2012-01-18 16:11 - 2012-01-18 16:11 - 01229424 _____ () C:\Program Files (x86)\VMware\VMware Player\libxml2.dll
2011-02-17 01:51 - 2011-02-17 01:51 - 00161696 _____ () C:\Program Files (x86)\Lenovo\Onekey Theater\ActiveDetect32.dll
2011-02-17 01:53 - 2011-02-17 01:53 - 00133024 _____ () C:\Program Files (x86)\Lenovo\Onekey Theater\WindowsApiHookDll32.dll
2010-01-09 20:18 - 2010-01-09 20:18 - 04254560 _____ () C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF
2010-01-21 01:34 - 2010-01-21 01:34 - 08793952 _____ () C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveIntlResource.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\ProgramData\Temp:54D4173A [196]
AlternateDataStreams: C:\ProgramData\Temp:98F0614F [97]
AlternateDataStreams: C:\Users\Yu Zheng\Desktop\FYPTemplate:Mac_Metadata [42]

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

HKLM\...\.exe: CryptoPreventEXE => "C:\Program Files (x86)\Foolish IT\CryptoPrevent\CryptoPreventFilterMod.CryptoPreventEXEC" /"%1" %* <===== ATTENTION
HKLM\...\.com: CryptoPreventEXE => "C:\Program Files (x86)\Foolish IT\CryptoPrevent\CryptoPreventFilterMod.CryptoPreventEXEC" /"%1" %* <===== ATTENTION
HKLM\...\.scr: CryptoPreventSCR => "C:\Program Files (x86)\Foolish IT\CryptoPrevent\CryptoPreventFilterMod.CryptoPreventEXEC" "%1" /S %*

==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-14 10:34 - 2012-12-20 15:25 - 00002198 ____A C:\windows\system32\Drivers\etc\hosts

127.0.0.1 crl.verisign.net CRL.VERISIGN.NET ood.opsource.net
127.0.0.1 activate.adobe.com
127.0.0.1 activate-sea.adobe.com
127.0.0.1 practivate.adobe
127.0.0.1 practivate.adobe.com
127.0.0.1 practivate.adobe.newoa
127.0.0.1 practivate.adobe.ntp
127.0.0.1 practivate.adobe.ipp
127.0.0.1 adobeereg.com
127.0.0.1 activate.wip1.adobe.com
127.0.0.1 activate.wip2.adobe.com
127.0.0.1 activate.wip3.adobe.com
127.0.0.1 activate.wip4.adobe.com
127.0.0.1 www.adobeereg.com
127.0.0.1 hl2rcv.adobe.com
127.0.0.1 wip.adobe.com
127.0.0.1 wip1.aobe.com
127.0.0.1 wip2.adobe.com
127.0.0.1 wip3.adobe.com
127.0.0.1 wip4.adobe.com
127.0.0.1 www.wip.adobe.com
127.0.0.1 www.wip1.adobe.com
127.0.0.1 www.wip2.adobe.com
127.0.0.1 www.wip3.adobe.com
127.0.0.1 www.wip4.adobe.com
127.0.0.1 3dns.adobe.com
127.0.0.1 3dns-1.adobe.com
127.0.0.1 3dns-2.adobe.com
127.0.0.1 3dns-3.adobe.com
127.0.0.1 3dns-4.adobe.com

There are 12 more lines.


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1359419172-3491595909-2348629299-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Yu Zheng\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 192.168.0.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

MSCONFIG\startupreg: BitTorrent => "C:\Users\Yu Zheng\AppData\Roaming\BitTorrent\BitTorrent.exe"  /MINIMIZED
MSCONFIG\startupreg: BlueStacks Agent => C:\Program Files (x86)\BlueStacks\HD-Agent.exe
MSCONFIG\startupreg: Power2GoExpress => NA
MSCONFIG\startupreg: Skype => "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
MSCONFIG\startupreg: VoipRaider => "C:\Program Files (x86)\VoipRaider.com\VoipRaider\VoipRaider.exe" -nosplash -minimized

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{5B0536A9-D2E1-465D-980C-E4C595D11C0B}] => (Allow) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
FirewallRules: [{6D464A96-FF7B-4837-B11B-A8179B27F4DE}] => (Allow) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
FirewallRules: [{809A37BA-9D43-48E5-AB1C-FB2348DB2F77}] => (Allow) C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
FirewallRules: [{17802D83-3FAC-4826-A860-7D37C089C157}] => (Allow) svchost.exe
FirewallRules: [{D3BCEBFA-958F-4265-AA6E-7D8544C47F63}] => (Allow) C:\Program Files (x86)\Windows Live\Messenger\livecall.exe
FirewallRules: [{7563DD9F-E88B-4A57-A3BE-414803FC32A2}] => (Allow) C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe
FirewallRules: [{0CEBCDD1-383F-493B-8CE7-C700E786B4B0}] => (Allow) C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe
FirewallRules: [{B2DE7C15-4475-4080-842F-26355A9D1007}] => (Allow) C:\Program Files (x86)\StarCraft II\StarCraft II.exe
FirewallRules: [{0248906A-0FED-45DD-92BA-ADA243F1F8C7}] => (Allow) C:\Program Files (x86)\StarCraft II\StarCraft II.exe
FirewallRules: [{EEA09A55-4033-4E5A-9279-A1C682689267}] => (Allow) C:\Program Files (x86)\StarCraft II\Versions\Base15405\SC2.exe
FirewallRules: [{207C1038-959E-4798-8D95-763031E7725F}] => (Allow) C:\Program Files (x86)\StarCraft II\Versions\Base15405\SC2.exe
FirewallRules: [{23A5D807-89B4-4408-8F30-1D0E90E3F1DE}] => (Allow) C:\Program Files (x86)\Adobe\Adobe Flash Builder 4.5\FlashBuilder.exe
FirewallRules: [{EF08E183-B9A5-4441-8354-17E01BEA905F}] => (Allow) C:\Program Files (x86)\Adobe\Adobe Flash Builder 4.5\FlashBuilder.exe
FirewallRules: [{036221F4-662B-47FF-B59B-C4FF2389600E}] => (Allow) LPort=7935
FirewallRules: [{4844D1BB-5326-4783-9D4C-D67C7ADA57B3}] => (Allow) C:\Users\Yu Zheng\AppData\Roaming\BitTorrent\BitTorrent.exe
FirewallRules: [{4C5B497C-F90B-4E18-826B-EE0880BB47BF}] => (Allow) C:\Users\Yu Zheng\AppData\Roaming\BitTorrent\BitTorrent.exe
FirewallRules: [TCP Query User{17298735-CE34-42F5-A17F-EB42B9F93958}C:\users\yu zheng\downloads\age of empires\age of empires\empires.exe] => (Block) C:\users\yu zheng\downloads\age of empires\age of empires\empires.exe
FirewallRules: [UDP Query User{CECA81BE-8ACD-4FB3-A3E3-2A0652653E47}C:\users\yu zheng\downloads\age of empires\age of empires\empires.exe] => (Block) C:\users\yu zheng\downloads\age of empires\age of empires\empires.exe
FirewallRules: [TCP Query User{6BFC5AB1-69BF-46FC-9DA1-30E7D87C3286}C:\program files (x86)\microsoft games\age of empires ii\empires2.exe] => (Block) C:\program files (x86)\microsoft games\age of empires ii\empires2.exe
FirewallRules: [UDP Query User{C1922452-2698-4310-B0ED-08F4A7CE9AC6}C:\program files (x86)\microsoft games\age of empires ii\empires2.exe] => (Block) C:\program files (x86)\microsoft games\age of empires ii\empires2.exe
FirewallRules: [TCP Query User{3FCFF4BA-D117-461A-B48A-0F8B13959680}C:\users\yu zheng\downloads\age_of_empires_expansion_fixed\empiresx.exe] => (Block) C:\users\yu zheng\downloads\age_of_empires_expansion_fixed\empiresx.exe
FirewallRules: [UDP Query User{7170A9BC-E351-4EED-9475-D544324863FE}C:\users\yu zheng\downloads\age_of_empires_expansion_fixed\empiresx.exe] => (Block) C:\users\yu zheng\downloads\age_of_empires_expansion_fixed\empiresx.exe
FirewallRules: [TCP Query User{FD170F67-5D01-455B-B0D2-FBBFA26386B1}C:\program files (x86)\voipraider.com\voipraider\voipraider.exe] => (Allow) C:\program files (x86)\voipraider.com\voipraider\voipraider.exe
FirewallRules: [UDP Query User{7DC6849C-FD40-4DDB-A0B9-3C31BFEAEE29}C:\program files (x86)\voipraider.com\voipraider\voipraider.exe] => (Allow) C:\program files (x86)\voipraider.com\voipraider\voipraider.exe
FirewallRules: [{2627E1D8-FBA3-427A-A202-9CEE97883785}] => (Block) C:\program files (x86)\voipraider.com\voipraider\voipraider.exe
FirewallRules: [{BEA4661F-605C-4F8A-A629-E1B0EC5B761A}] => (Block) C:\program files (x86)\voipraider.com\voipraider\voipraider.exe
FirewallRules: [{2F597FCA-BB5D-4854-A86F-3ABD5D883CC5}] => (Allow) C:\Program Files (x86)\Skype\Phone\Skype.exe
FirewallRules: [{1F094D59-35E8-44A4-B2E4-C62C694A6B1D}] => (Block) %ProgramFiles% (x86)\Image-Line\FL Studio 11\FL.exe
FirewallRules: [{A7AD4131-42EF-403A-8382-F408E1A5E332}] => (Block) %ProgramFiles% (x86)\Image-Line\FL Studio 11\FL (compatible memory).exe
FirewallRules: [TCP Query User{A38590DA-97B7-4436-A97C-D4993358E48D}C:\windows\kmsemulator.exe] => (Allow) C:\windows\kmsemulator.exe
FirewallRules: [UDP Query User{5C6EAD09-4F0D-48B8-B98F-C079E3C7AB10}C:\windows\kmsemulator.exe] => (Allow) C:\windows\kmsemulator.exe
FirewallRules: [{D87E9A45-B947-47A9-BEA9-71F24FED4618}] => (Block) C:\windows\kmsemulator.exe
FirewallRules: [{5526345B-A6CA-4661-8EA7-BA20751985F3}] => (Block) C:\windows\kmsemulator.exe
FirewallRules: [{71AF7E43-0784-4901-86F9-FC985BCA20EA}] => (Allow) C:\Program Files (x86)\Microsoft Visual Studio 12.0\Common7\IDE\devenv.exe
FirewallRules: [{94BE3D60-0F86-4A0C-9B50-BF72216FB549}] => (Allow) C:\Program Files (x86)\Microsoft Visual Studio 12.0\Common7\IDE\devenv.exe
FirewallRules: [{63DFBCF7-CC07-4A2C-AE54-8C86811F2497}] => (Allow) C:\Program Files (x86)\Microsoft Visual Studio 12.0\Common7\IDE\devenv.exe
FirewallRules: [{C6228DCE-FFFE-4848-BC23-86A5779F5E20}] => (Allow) C:\Program Files (x86)\Microsoft Visual Studio 12.0\Common7\IDE\devenv.exe
FirewallRules: [{3A98180D-76D7-47C3-A059-A4C66FC1C28D}] => (Allow) C:\Program Files (x86)\Microsoft Visual Studio 12.0\Common7\IDE\devenv.exe
FirewallRules: [{CCE90AAC-A45D-4824-BBC6-81F2EF269BDB}] => (Allow) C:\Program Files (x86)\Microsoft Visual Studio 12.0\Common7\IDE\devenv.exe
FirewallRules: [{55B724E1-D910-4AF6-A5A9-66C7576D09BD}] => (Allow) C:\Program Files (x86)\Microsoft Visual Studio 12.0\Common7\IDE\devenv.exe
FirewallRules: [{CD2BD7B0-07CE-402D-90F7-32E7E526B805}] => (Allow) LPort=12292
FirewallRules: [TCP Query User{A9C39E6B-3DA9-4696-B2C5-85A742D0BD26}C:\program files (x86)\littlefighter2\lf2_v2.0a\lf2.exe] => (Block) C:\program files (x86)\littlefighter2\lf2_v2.0a\lf2.exe
FirewallRules: [UDP Query User{DF99DA16-8948-4615-95D4-925103814143}C:\program files (x86)\littlefighter2\lf2_v2.0a\lf2.exe] => (Block) C:\program files (x86)\littlefighter2\lf2_v2.0a\lf2.exe
FirewallRules: [{6166304C-0918-4A2C-B186-787BB734CA57}] => (Allow) C:\Program Files (x86)\Firaxis Games\Sid Meier's Civilization 4\Civilization4.exe
FirewallRules: [{62B998CD-7BF9-42C8-94A9-C6721C6F811C}] => (Allow) C:\Program Files (x86)\Firaxis Games\Sid Meier's Civilization 4\Civilization4.exe
FirewallRules: [{13BEC4B5-F1EC-4E3C-91DA-653CA7217439}] => (Allow) C:\Program Files (x86)\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords.exe
FirewallRules: [{5BDA445B-D5BC-4984-924A-A3154ACB5C22}] => (Allow) C:\Program Files (x86)\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords.exe
FirewallRules: [{37702035-654F-4192-B13F-DC81AB3F34CF}] => (Allow) C:\Program Files (x86)\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords_PitBoss.exe
FirewallRules: [{53F628E4-5350-477A-ACA4-91FB48D4E959}] => (Allow) C:\Program Files (x86)\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords_PitBoss.exe
FirewallRules: [{917D8325-C572-445C-B891-FAE92234DFD3}] => (Allow) C:\Program Files (x86)\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword.exe
FirewallRules: [{31A8294B-5710-40F2-A357-43106F26D809}] => (Allow) C:\Program Files (x86)\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword.exe
FirewallRules: [{4645740F-1924-4FFF-88F0-24487CF254DD}] => (Allow) C:\Program Files (x86)\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword_PitBoss.exe
FirewallRules: [{E3E27CB1-83AF-46B2-951B-0D9B57A415E1}] => (Allow) C:\Program Files (x86)\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword_PitBoss.exe
FirewallRules: [{F8B1E6F7-B20B-4E5E-A363-D39449AE8522}] => (Allow) LPort=3306
FirewallRules: [TCP Query User{76A5906B-B8A9-43F5-A35F-5D565FB26DF5}C:\program files\java\jdk1.7.0_07\bin\java.exe] => (Allow) C:\program files\java\jdk1.7.0_07\bin\java.exe
FirewallRules: [UDP Query User{606BFF00-3EB5-425A-913E-45FDEBA0D874}C:\program files\java\jdk1.7.0_07\bin\java.exe] => (Allow) C:\program files\java\jdk1.7.0_07\bin\java.exe
FirewallRules: [{5326642D-CC4A-45E7-92FD-ACFFD72A721D}] => (Block) C:\program files\java\jdk1.7.0_07\bin\java.exe
FirewallRules: [{145B05AD-9E60-435B-9A1C-470CFE00710B}] => (Block) C:\program files\java\jdk1.7.0_07\bin\java.exe
FirewallRules: [TCP Query User{C3BC0FC4-DCDE-4235-A485-F26D640B2623}C:\program files\xampp\apache\bin\httpd.exe] => (Allow) C:\program files\xampp\apache\bin\httpd.exe
FirewallRules: [UDP Query User{BC61114A-FEA8-4C7F-998D-388F4284BB45}C:\program files\xampp\apache\bin\httpd.exe] => (Allow) C:\program files\xampp\apache\bin\httpd.exe
FirewallRules: [{63A1BFC1-E0DD-4906-BCD0-2DA69240226D}] => (Block) C:\program files\xampp\apache\bin\httpd.exe
FirewallRules: [{20DA3170-7906-48BB-867F-BAF98CCB6136}] => (Block) C:\program files\xampp\apache\bin\httpd.exe
FirewallRules: [TCP Query User{BA726E23-781B-4932-B0B0-88A5405A2138}C:\xampp\apache\bin\httpd.exe] => (Allow) C:\xampp\apache\bin\httpd.exe
FirewallRules: [UDP Query User{E2BA404E-7291-4062-97E6-1214F5E53E85}C:\xampp\apache\bin\httpd.exe] => (Allow) C:\xampp\apache\bin\httpd.exe
FirewallRules: [{06A64801-E76F-49A4-85AB-55646D0EAFE4}] => (Block) C:\xampp\apache\bin\httpd.exe
FirewallRules: [{0E765B6E-D364-4F45-AD65-4AFDF473C534}] => (Block) C:\xampp\apache\bin\httpd.exe
FirewallRules: [{A4B2EC94-BE02-4E72-BE84-65CB385D29E7}] => (Allow) C:\Users\Yu Zheng\AppData\Roaming\WIN10HELPER.EXE
FirewallRules: [TCP Query User{96AF26A2-E806-4173-A49F-5BC86BC52493}C:\program files (x86)\heroes of might and magic 2 gold\dosbox\dosbox.exe] => (Block) C:\program files (x86)\heroes of might and magic 2 gold\dosbox\dosbox.exe
FirewallRules: [UDP Query User{598C64D1-72FE-4433-ADDA-1CE839E2B237}C:\program files (x86)\heroes of might and magic 2 gold\dosbox\dosbox.exe] => (Block) C:\program files (x86)\heroes of might and magic 2 gold\dosbox\dosbox.exe
FirewallRules: [TCP Query User{D8407790-1B2C-4BB2-BEDF-7DAFAB57D7F8}C:\program files (x86)\warcraft ii bne\warcraft ii bne.exe] => (Block) C:\program files (x86)\warcraft ii bne\warcraft ii bne.exe
FirewallRules: [UDP Query User{F2CF8A28-C22B-453C-A46B-15E19080970B}C:\program files (x86)\warcraft ii bne\warcraft ii bne.exe] => (Block) C:\program files (x86)\warcraft ii bne\warcraft ii bne.exe
FirewallRules: [TCP Query User{33A9DAFD-3D43-4929-BF95-08CC18F50121}C:\program files (x86)\starcraft\starcraft.exe] => (Block) C:\program files (x86)\starcraft\starcraft.exe
FirewallRules: [UDP Query User{64E161FB-78B2-463C-98EB-70444C8AE481}C:\program files (x86)\starcraft\starcraft.exe] => (Block) C:\program files (x86)\starcraft\starcraft.exe
FirewallRules: [TCP Query User{43178190-6DCD-47E6-A5F9-EB1C69E651F3}C:\xampp\filezillaftp\filezillaserver.exe] => (Allow) C:\xampp\filezillaftp\filezillaserver.exe
FirewallRules: [UDP Query User{7BD77955-C7AC-4BB1-9600-84AD0823510C}C:\xampp\filezillaftp\filezillaserver.exe] => (Allow) C:\xampp\filezillaftp\filezillaserver.exe
FirewallRules: [{4193CCB2-FDEB-44F4-84D2-26962DA76B6D}] => (Block) C:\xampp\filezillaftp\filezillaserver.exe
FirewallRules: [{B7C6E54A-1770-4B4E-8C03-1F8F12D18CB3}] => (Block) C:\xampp\filezillaftp\filezillaserver.exe
FirewallRules: [{4D2E1D38-130B-4B18-8D2E-62BF3FA74A31}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
StandardProfile\AuthorizedApplications: [C:\Acer\Empowering Technology\eDataSecurity\x86\eDSfsu.exe] => Enabled:eDSfs
StandardProfile\AuthorizedApplications: [C:\Acer\Empowering Technology\eDataSecurity\x86\encryption.exe] => Enabled:encryptio
StandardProfile\AuthorizedApplications: [C:\Acer\Empowering Technology\eDataSecurity\x86\decryption.exe] => Enabled:decryptio
StandardProfile\AuthorizedApplications: [C:\Acer\Empowering Technology\eDataSecurity\x86\eDSMgr.exe] => Enabled:eDSMg
StandardProfile\AuthorizedApplications: [C:\Acer\Empowering Technology\eDataSecurity\x86\eDStbmngr.exe] => Enabled:eDStbmng
StandardProfile\AuthorizedApplications: [C:\Acer\Empowering Technology\eDataSecurity\x64\eDSfsu.exe] => Enabled:eDSfs
StandardProfile\AuthorizedApplications: [C:\Acer\Empowering Technology\eDataSecurity\x64\encryption.exe] => Enabled:encryptio
StandardProfile\AuthorizedApplications: [C:\Acer\Empowering Technology\eDataSecurity\x64\decryption.exe] => Enabled:decryptio
StandardProfile\AuthorizedApplications: [C:\Acer\Empowering Technology\eDataSecurity\x64\eDSMgr.exe] => Enabled:eDSMg
StandardProfile\AuthorizedApplications: [C:\Acer\Empowering Technology\eDataSecurity\x64\eDStbmngr.exe] => Enabled:eDStbmng

==================== Restore Points =========================

24-02-2017 14:39:04 Windows Update

==================== Faulty Device Manager Devices =============

Name: Bluetooth Peripheral Device
Description: Bluetooth Peripheral Device
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: Bluetooth Peripheral Device
Description: Bluetooth Peripheral Device
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.


==================== Event log errors: =========================

Application errors:
==================
Error: (02/24/2017 10:57:36 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (02/24/2017 04:06:33 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (02/24/2017 03:37:41 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program wmplayer.exe version 12.0.7601.17514 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 1d0c

Start Time: 01d28e6ff118ee28

Termination Time: 200

Application Path: C:\Program Files (x86)\Windows Media Player\wmplayer.exe

Report Id: 10a23b98-fa64-11e6-9d2c-60d819ebe2f0

Error: (02/24/2017 03:21:06 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: hmpalert.exe, version: 3.6.3.586, time stamp: 0x589db2fd
Faulting module name: ntdll.dll, version: 6.1.7601.18247, time stamp: 0x521ea8e7
Exception code: 0xc0000005
Fault offset: 0x00038e19
Faulting process id: 0x390
Faulting application start time: 0x01d28e55d03bb669
Faulting application path: C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe
Faulting module path: C:\windows\SysWOW64\ntdll.dll
Report Id: cdc1cb01-fa61-11e6-9d2c-60d819ebe2f0

Error: (02/24/2017 01:52:01 PM) (Source: VSS) (EventID: 12293) (User: )
Description: Volume Shadow Copy Service error: Error calling a routine on a Shadow Copy Provider {b5946137-7b9f-4925-af80-51abd60b20d5}. Routine details IVssSnapshotProvider::QueryVolumesSupportedForSnapshots(ProviderId,29,...) [hr = 0x80042302, A Volume Shadow Copy Service component encountered an unexpected error.
Check the Application event log for more information.
].


Operation:
   Query volumes supported by this provider

Context:
   Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
   Snapshot Context: 29

Error: (02/24/2017 01:52:01 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine Error calling CreateFile on volume '\\?\Volume{2efa2760-91d6-11e1-8f9f-60d819ebe2f0}\'.  hr = 0x8000ffff, Catastrophic failure
.

Error: (02/24/2017 12:25:39 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (02/24/2017 11:29:12 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (02/24/2017 07:55:33 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: IEXPLORE.EXE, version: 11.0.9600.17041, time stamp: 0x531807e4
Faulting module name: VBScript.dll, version: 5.8.9600.17041, time stamp: 0x53182b95
Exception code: 0xc0000005
Fault offset: 0x00037ff9
Faulting process id: 0x1078
Faulting application start time: 0x01d28e30366c11eb
Faulting application path: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
Faulting module path: C:\windows\SysWow64\VBScript.dll
Report Id: 90087d29-fa23-11e6-a59c-60d819ebe2f0

Error: (02/24/2017 07:05:23 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.


System errors:
=============
Error: (02/25/2017 02:42:00 AM) (Source: iaStor) (EventID: 9) (User: )
Description: The device, \Device\Ide\iaStor0, did not respond within the timeout period.

Error: (02/25/2017 02:41:59 AM) (Source: iaStor) (EventID: 9) (User: )
Description: The device, \Device\Ide\iaStor0, did not respond within the timeout period.

Error: (02/25/2017 02:41:58 AM) (Source: iaStor) (EventID: 9) (User: )
Description: The device, \Device\Ide\iaStor0, did not respond within the timeout period.

Error: (02/25/2017 02:41:40 AM) (Source: iaStor) (EventID: 9) (User: )
Description: The device, \Device\Ide\iaStor0, did not respond within the timeout period.

Error: (02/25/2017 02:41:39 AM) (Source: iaStor) (EventID: 9) (User: )
Description: The device, \Device\Ide\iaStor0, did not respond within the timeout period.

Error: (02/25/2017 01:20:26 AM) (Source: DCOM) (EventID: 10010) (User: )
Description: The server {995C996E-D918-4A8C-A302-45719A6F4EA7} did not register with DCOM within the required timeout.

Error: (02/25/2017 12:49:18 AM) (Source: iaStor) (EventID: 9) (User: )
Description: The device, \Device\Ide\iaStor0, did not respond within the timeout period.

Error: (02/25/2017 12:49:17 AM) (Source: iaStor) (EventID: 9) (User: )
Description: The device, \Device\Ide\iaStor0, did not respond within the timeout period.

Error: (02/25/2017 12:49:16 AM) (Source: iaStor) (EventID: 9) (User: )
Description: The device, \Device\Ide\iaStor0, did not respond within the timeout period.

Error: (02/25/2017 12:02:26 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.


CodeIntegrity:
===================================
  Date: 2013-04-18 14:20:42.875
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\Tencent\QQPCMgr\7.5.8439.209\QQPCHelper.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2013-04-18 14:20:42.860
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\Tencent\QQPCMgr\7.5.8439.209\QQPCHelper.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2013-04-17 09:22:58.111
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\Tencent\QQPCMgr\7.5.8439.209\QQPCHelper.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2013-04-17 09:22:58.095
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\Tencent\QQPCMgr\7.5.8439.209\QQPCHelper.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2013-04-17 00:54:07.158
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\Tencent\QQPCMgr\7.5.8439.209\QQPCHelper.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2013-04-17 00:54:07.142
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\Tencent\QQPCMgr\7.5.8439.209\QQPCHelper.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2013-04-16 16:23:03.172
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\Tencent\QQPCMgr\7.5.8439.209\QQPCHelper.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2013-04-16 16:23:03.172
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\Tencent\QQPCMgr\7.5.8439.209\QQPCHelper.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2013-04-16 00:57:07.797
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\Tencent\QQPCMgr\7.5.8439.209\QQPCHelper.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2013-04-16 00:57:07.782
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\Tencent\QQPCMgr\7.5.8439.209\QQPCHelper.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

 
 
 = = = = = = = = = = = = = = = = = = = =   M e m o r y   i n f o   = = = = = = = = = = = = = = = = = = = = = = = = = = =  
 
 
 
 P r o c e s s o r :   I n t e l ( R )   C o r e ( T M )   i 5 - 2 4 5 0 M   C P U   @   2 . 5 0 G H z
 
 P e r c e n t a g e   o f   m e m o r y   i n   u s e :   4 5 %
 
 T o t a l   p h y s i c a l   R A M :   8 0 9 6 . 4 9   M B
 
 A v a i l a b l e   p h y s i c a l   R A M :   4 4 3 9 . 1   M B
 
 T o t a l   V i r t u a l :   1 6 1 9 1 . 1 6   M B
 
 A v a i l a b l e   V i r t u a l :   1 1 8 3 9 . 0 3   M B
 
 
 
 = = = = = = = = = = = = = = = = = = = =   D r i v e s   = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
 
 
 
 D r i v e   c :   ( )   ( F i x e d )   ( T o t a l : 4 2 0 . 3 3   G B )   ( F r e e : 1 3 6 . 8 4   G B )   N T F S
 
 D r i v e   d :   ( L E N O V O )   ( F i x e d )   ( T o t a l : 3 0 . 4 8   G B )   ( F r e e : 2 0 . 9 2   G B )   N T F S
 
 
 
 = = = = = = = = = = = = = = = = = = = =   M B R   &   P a r t i t i o n   T a b l e   = = = = = = = = = = = = = = = = = =
 
 
 
 = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
 
 D i s k :   0   ( M B R   C o d e :   W i n d o w s   7   o r   8 )   ( S i z e :   4 6 5 . 8   G B )   ( D i s k   I D :   4 7 5 E A 8 2 5 )
 
 P a r t i t i o n   1 :   ( A c t i v e )   -   ( S i z e = 2 0 0   M B )   -   ( T y p e = 0 7   N T F S )
 
 P a r t i t i o n   2 :   ( N o t   A c t i v e )   -   ( S i z e = 4 2 0 . 3   G B )   -   ( T y p e = 0 7   N T F S )
 
 P a r t i t i o n   3 :   ( N o t   A c t i v e )   -   ( S i z e = 3 0 . 5   G B )   -   ( T y p e = O F   E x t e n d e d )
 
 P a r t i t i o n   4 :   ( N o t   A c t i v e )   -   ( S i z e = 1 4 . 8   G B )   -   ( T y p e = 1 2 )
 
 
 
 = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
 
 D i s k :   1   ( M B R   C o d e :   W i n d o w s   X P )   ( S i z e :   1 4 . 4   G B )   ( D i s k   I D :   C 3 0 7 2 E 1 8 )
 
 P a r t i t i o n   1 :   ( N o t   A c t i v e )   -   ( S i z e = 1 4 . 4   G B )   -   ( T y p e = 0 C )
 
 
 
 = = = = = = = = = = = = = = = = = = = =   E n d   o f   A d d i t i o n . t x t   = = = = = = = = = = = = = = = = = = = = = = = = = = = =

 

 

 

Link to post
Share on other sites

On ‎28‎/‎2‎/‎2017 at 1:08 AM, Aura said:

There are a few things wrong with your system, but the infection (Cerber) looks gone to me.

 

Thank you for your verification on my system's status. By the way, what are the things that appeared to be wrong in my system? If you could highlight them, perhaps I can try to fix them. Once again, thanks for your help!

Edited by AndersonC
Link to post
Share on other sites

  • 3 weeks later...

Hi Aura,

I have a last question. Does Cerber Version 4 / 5

1) encrypts the original files and leave it just like that or

2) does it make a copy of the original files and encrypt the copies , then delete the original unencrypted files?

Would be grateful if someone knows the definite answer to this..

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.